Re: Trillian Ver 3.1 saves password's in plain Text

• Previous message: Lupe Christoph: "Re: Zip 2,31 bad default file-permissions vulnerability"
• In reply to: Keith Phillips: "RE: Trillian Ver 3.1 saves password's in plain Text"
• Next in thread: Suramya Tomar: "Re: Trillian Ver 3.1 saves password's in plain Text"
• Reply: Suramya Tomar: "Re: Trillian Ver 3.1 saves password's in plain Text"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 05 Aug 2005 00:19:22 -0500
To: Keith Phillips <kphillips@everdreamcorp.com>, bugtraq@securityfocus.com

Keith Phillips wrote:

>The issue arises when you click the link to your Yahoo mail under "My
>Mail Accounts". This creates an html file in the directory discussed
>below which contains user name and clear text password.
>
>KP
>
>-----Original Message-----
>From: security curmudgeon [mailto:jericho@attrition.org]
>Sent: Tuesday, August 02, 2005 3:51 AM
>To: bugtraq@securityfocus.com
>Cc: Suramya Tomar
>Subject: Re: Trillian Ver 3.1 saves password's in plain Text
>
>
>Hi Suramya,
>
>: I was playing around with Trillian Pro 3.1 Build 121 and noticed a
>very
>: disturbing behavior when using it to check my yahoo mail.
>:
>: When you choose the option to check your yahoo email from Trillian
>(The
>: little connection ball -> Check Yahoo Mail) it creates a temp file in
>: the <Install Directory>\users\default\cache with a random name that
>: contains the yahoo password in *clear text* and this file is world
>: readable. This would be somewhat ok if the file was deleted as soon as
>: the login was done but the file just sits there till you exit out of
>: trillian. Logging out doesn't erase the file. I have watched the file
>: exist on my system for over two weeks.
>:
>: I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on
>: Windows XP Pro and Windows 2000.
>
>I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this
>behavior. I have a YIM, ICQ, AIM and several Jabber accounts. My cache
>directory has several files in it; buddy type icon files for various
>AIM/YIM users, graphics for plugins, etc. In fact, every single file in
>there is JPEG, GIF or PNG.
>
>Doing a case insensitive grep through all the files, I can't find any
>trace of any of my passwords in any file in this directory. All of the
>files are dated 08/01/2005 shortly after I started Trillian up after
>returning from out of town.
>
>Could this occur the first time you set up a specific protocol/account,
>and that cache file is erased upon Trillian restart? If so, that would
>still be an issue, although considerably less severe. If not that, is
>there anything else being done differently here?
>
>: I have attempted to contact Cerulean Studios multiple times before
>: releasing this using their webform, email and forums over the past
>month
>: but havn't heard anything back from them. My last attempt to contact
>: them was on 06/13/2005. Since I havn't heard anything from them I am
>: sending this to Bugtraq.
>
>Before 3.x (i think), Trillian had a way to submit bugs/feedback from
>within the program, and all of my reports were responded to within 24
>hours. Since 3.x I believe that feature is gone. Doesn't help you, just
>a side comment =) Would be nice to see Cerulean bring this back.
>
>
>
>
I'd just like to add that, while it may not be relevant, but Gaim does
the same thing (in Window$). It stores the passwords in plain text, in
the User accounts directory (ie. c:\documents and settings\user123).
More on that here. <http://gaim.sourceforge.net/plaintextpasswords.php>

-- 
Patrick M.
/* EOF */

• Previous message: Lupe Christoph: "Re: Zip 2,31 bad default file-permissions vulnerability"
• In reply to: Keith Phillips: "RE: Trillian Ver 3.1 saves password's in plain Text"
• Next in thread: Suramya Tomar: "Re: Trillian Ver 3.1 saves password's in plain Text"
• Reply: Suramya Tomar: "Re: Trillian Ver 3.1 saves password's in plain Text"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]