RE: Trillian Messaging Software

["Mike Theriault" <Mike_Theriault () Jabil com>]

Several of us in our LAN use it and since I'm a "Curious George" and always
manage to find an exploit or two in most messaging products, I have not
found any significant security issues will Trillian.  However, there is a
small but potentially serious issue with the way it redirects your MSN
account to hotmail.  Trillian invokes shdocvw.dll Internet explorer type
library and passes a string in a URL that contains your username and
password in plain-text.  This is especially dangerous when someone is
sniffing your network segment and/or your friendly neighborhood IT Network
Administrator peruses the firewall logs and discovers your MSN credentials.

Also, Trillian's default configuration turns on logging for all chat client
types.  So if you use it, be sure to turn it off, unless you want prying
eyes to find out what you really think about your boss.

I chose the blue pill and uninstalled it.

Mike

                -----Original Message-----
                From:   rogue [mailto:rogue () nocdemon net]
                Sent:   Wednesday, June 05, 2002 12:10 PM
                To:     vuln-dev () securityfocus com
                Cc:     security-basics () securityfocus com
                Subject:        Trillian Messaging Software

                A bunch of users on my Win2k network are asking to install
trillian
                messaging software on their workstations because it allows
messaging
                across several systems (AIM, yahoo messenger, ICQ, etc) and
i was
                wondering if anyone has been here has been using it and if
there are any
                security issues which have surfaced before allowing this
software on my
                network. Thanks all!



                -- 
                ==================
                rogue () nocdemon net
                             {\o0|
                ==================