Re: [Full-disclosure] Google Talk cleartext credentials in process memory

From: 6ackpace (6ackpace_at_gmail.com)
Date: 11/29/05

  • Next message: advisory_at_dyadsecurity.com: "[Full-disclosure] Webmin miniserv.pl format string vulnerability" 
    Date: Tue, 29 Nov 2005 15:32:48 +0530
To: Jaroslaw Sajko <sloik@parareal.net>

    Hi,

    If i am right Google Talk Beta Messenger cleartext credentials in process
    memory still exist on the current version.
    googles answer for this issue:
    plain char -> hex char

    6ackpace
    On 11/29/05, Jaroslaw Sajko <sloik@parareal.net> wrote:
    >
    > pagvac wrote:
    > > Title: Google Talk Beta Messenger cleartext credentials in process
    > memory
    > >
    > >
    > > Description
    > >
    > > Google Talk stores all user credentials (username and password) in
    > > clear-text in the process memory. Such vulnerability was found on
    > > August 25, 2005 (two days after the release of Google Talk) and has
    > > already been patched by Google.
    > >
    > > This issue would occur regardless of whether the "Save Password"
    > > feature was enabled or not.
    >
    > The same issue concerns many applications, ie. Gadu-Gadu - another
    > instant messenger. In my opinion such "vulnerabilities" are not worthy
    > publishing (for Gadu-Gadu we have not published this kind of software
    > behaviour) because if you can dump other user process or trick him to
    > execute any code then reading the password from the process memory is
    > only one of many things which you can do.
    >
    > regards,
    > js
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: advisory_at_dyadsecurity.com: "[Full-disclosure] Webmin miniserv.pl format string vulnerability"

    Relevant Pages

    • Re: Suns Niagara is out
      ... Distributed programming means the threads are communicating via i/o not by memory so memory coherency isn't needed strictly speaking. ... irrelevant to inter-thread communication in Google: the issue is how much work can be done for a given amount of energy, and since the environment is sufficiently multi-threaded to make full use of Niagara unless Niagara hits some *other* limit it can likely process Google-style threads considerably more efficiently than most conventional MPUs could. ...
      (comp.arch)
    • Re: Xnews out of memory problem
      ... Google just provides an easy way to find and present ... I do not have XNews memory problems, ... it's still very clear that it's part of the thread SCPO ...
      (news.software.readers)
    • Re: hardware problem
      ... > vacuum cleaner), reseat all cards and memory, reconnect all hard drives, ... Thank you Google. ...
      (freebsd-questions)
    • Re: What do you LISPers think of Haskell?
      ... Google wanted their browser to be fast and have low memory usage. ... Why is C++ a bad choice of language then? ...
      (comp.lang.lisp)
    • Re: KHost.exe - Program eror
      ... Google is your friend in this situation. ... > Klicka på OK om du vill avsluta programmet. ... > could not carry out a memory task. ... > Klick on Cancel if you want to debug the program. ...
      (microsoft.public.dotnet.framework.aspnet)