[VulnWatch] RE: Trillian weakly encrypts saved passwords

From: Brenna Primrose (drxlecter@phreaker.net)
Date: 09/09/02


From: "Brenna Primrose" <drxlecter@phreaker.net>
To: "'Evan Nemerson'" <enemerson@coeus-group.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>, <news@securiteam.com>
Date: Mon, 9 Sep 2002 13:26:42 -0500

This bug has been known for at least a few months. Nothing new here...

http://lists.insecure.org/vuln-dev/2002/Jun/0060.html

http://profiles.yahoo.com/absolut_contagion
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t@creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------
-----Original Message-----
From: Evan Nemerson [mailto:enemerson@coeus-group.com]
Sent: Monday, September 09, 2002 4:20 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
submissions@packetstormsecurity.org; news@securiteam.com
Subject: Trillian weakly encrypts saved passwords

Software:
Trillian 0.73, possibly other versions.

Issue:
Weak "encryption" of saved passwords.

Impact:
Decryption of saved passwords.

Vendor notified:
3 Sept., 2002. No response.

Severity:
Medium. ish. The program only works locally, and only if the subject
has saved their password, and really if someone can get into your AIM
account, how earth-shattering is that??? However, since a lot of people
use
the same password for everything...

---------------------

Trillian is, according to trillian.cc, "...everything you need for
instant
messaging. Connect to ICQR, AOL Instant Messenger(SM), MSN Messenger,
Yahoo!
Messenger and IRC in a single, sleek and slim interface."

Upon examination of the Trillian directory (which defaults to C:\Program

Files\Trillian\ ), it appears that passwords are stored in ini files
that are
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
encrypted using a simple XOR with a key apparently uniform throughout
every
installation.

The attached program takes, as command line argument(s), path(s) to
these INI
files. It will then display a list of usernames, "encrypted" passwords,
and
plaintext passwords.

Evan Nemerson
enemerson@coeus-group.com
http://www.coeus-group.com



Relevant Pages

  • Re: Trillian weakly encrypts saved passwords
    ... one could just copy and use the ini file your own pc. ... Trillian weakly encrypts saved passwords ...
    (Bugtraq)
  • Re: Trillian weakly encrypts saved passwords
    ... obfuscating saved passwords to prevent casual shoulder-surfing. ... Trillian could use PBKDF2 to save the passwords locally, ... > Weak "encryption" of saved passwords. ...
    (Bugtraq)
  • Trillian weakly encrypts saved passwords
    ... Trillian 0.73, possibly other versions. ... Weak "encryption" of saved passwords. ...
    (Bugtraq)
  • Re: store passwords securely in the internet
    ... the passwords are stored encrypted on the server. ... I know that you have to trust the provider to give it your passwords. ... encrypts and decrypts the stored passwords with the masterpassword? ... When the user creates a passwordstore, he must give a masterpassword. ...
    (Security-Basics)
  • Re: One more "sensitive info" security question
    ... I have my ever growing list of passwords printed on 4 pieces of paper ... >are any number of secure web mail solutions - even Hotmail encrypts the ... >use TLS for secure login, and most mail clients can also. ... all her important online accounts. ...
    (alt.internet.wireless)