Re: [Full-disclosure] pidgin OTR information leakage



On 02/27/2012 11:23 PM, devnull@xxxxxxxxxx wrote:

I believe that clarification is in order.

Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.

And it boils down to this:

Once a process sends private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it. So, if for example the user
selects not to log OTR plaintext (so that this sensitive information
doesn't touch the hard drive) another application on the other end
of DBUS might choose to do something different (and not by malicious
intent). There is no way to enforce the same security policy on the
sender and the receivers.

How this could be exploited by attackers or what forensic evidence
DBUS snooping leaves are of much less importance than the above
privacy issue.

There is a very good discussion on the pidgin ticket page:
http://developer.pidgin.im/ticket/14830

Also, I've made some updates to our post, to make it clearer
as to what this issue is about:

http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

If there are still questions, I'll be happy to answer them.

Hope this clarifies things a bit,

Dimitris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages