Vulnerability Development mailing list archives
RE: Trillian Messaging Software
From: "Mike Theriault" <Mike_Theriault () Jabil com>
Date: Wed, 5 Jun 2002 15:20:34 -0400
Several of us in our LAN use it and since I'm a "Curious George" and always manage to find an exploit or two in most messaging products, I have not found any significant security issues will Trillian. However, there is a small but potentially serious issue with the way it redirects your MSN account to hotmail. Trillian invokes shdocvw.dll Internet explorer type library and passes a string in a URL that contains your username and password in plain-text. This is especially dangerous when someone is sniffing your network segment and/or your friendly neighborhood IT Network Administrator peruses the firewall logs and discovers your MSN credentials. Also, Trillian's default configuration turns on logging for all chat client types. So if you use it, be sure to turn it off, unless you want prying eyes to find out what you really think about your boss. I chose the blue pill and uninstalled it. Mike -----Original Message----- From: rogue [mailto:rogue () nocdemon net] Sent: Wednesday, June 05, 2002 12:10 PM To: vuln-dev () securityfocus com Cc: security-basics () securityfocus com Subject: Trillian Messaging Software A bunch of users on my Win2k network are asking to install trillian messaging software on their workstations because it allows messaging across several systems (AIM, yahoo messenger, ICQ, etc) and i was wondering if anyone has been here has been using it and if there are any security issues which have surfaced before allowing this software on my network. Thanks all! -- ================== rogue () nocdemon net {\o0| ==================
Current thread:
- Trillian Messaging Software rogue (Jun 05)
- Re: Trillian Messaging Software Rob Shein (Jun 05)
- RE: Trillian Messaging Software Richard M. Conlan (Jun 05)
- Re: Trillian Messaging Software Martin Lesser (Jun 05)
- RE: Trillian Messaging Software Don Weber (Jun 05)
- Re: Trillian Messaging Software rogue (Jun 06)
- <Possible follow-ups>
- RE: Trillian Messaging Software Mike Theriault (Jun 05)
- RE: Trillian Messaging Software Ben Floyd (Jun 06)
- Re: Trillian Messaging Software Rob Shein (Jun 05)