[NEWS] CheetaChat Stores Passwords in the Clear
From: support@securiteam.com
Date: 02/15/03
- Previous message: support@securiteam.com: "[UNIX] HPUX 'Disable' Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 15 Feb 2003 21:25:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
CheetaChat Stores Passwords in the Clear
------------------------------------------------------------------------
SUMMARY
<http://www.cheetachat.net/> CheetaChat is provided as a free, non-profit
user supported chat client for Yahoo, iChat ROOMS, and CheetaServ. A bug
exists in CheetaChat that lets an attacker with access to the yaliases.dat
to get users yahoo passwords in plain text.
DETAILS
Vulnerable systems:
* CheetaChat version 6.5.10 and prior
When users add their Yahoo id to CheetaChat it is encrypted and stored in
a file called yaliases.dat that is stored in the folder where CheetaChat
installed. An attacker who is able to access to the yaliases.dat file can
easily retrieve the users password's in plain text with the
method-illustrated below:
If the attacker loads this file up with CheetaChat, they can then get the
user's password by doing the following:
1. Log into CheetaChat using the id.
2. Click on the settings menu then preferences then once in there check
the box that says "Use internal Browser" then click ok.
3. Now click on the Chat menu and click Account/Password. After this, the
internal browser will load up, send login, and pass to the Yahoo login. If
you look at the very end of the address box, you will see the user's
password in plain text.
Analysis:
An attacker able to obtain the target user's yaliases.dat file can easily
obtain his Yahoo id and password. This could give the attacker access to
the targets full Yahoo account including email, personal details and if
the user used the pay-direct service by Yahoo, the attacker could get
credit card information.
Vendor response:
B0f contacted the vendor about this problem several months ago and never
got a reply. The problem as of this moment has not been addressed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:woot_woot_root@yahoo.co.uk>
b0f www.b0f.net.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] FAR Utility Buffer Overflow"
- Previous message: support@securiteam.com: "[UNIX] HPUX 'Disable' Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
