Re: Google Talk cleartext proxy credentials vulnerability

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 10/15/05

  • Next message: Thierry Carrez: "[ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues"
    Date: Sat, 15 Oct 2005 23:40:08 +0400
    To: m123303@richmond.ac.uk
    
    

    Dear m123303@richmond.ac.uk,

    Again and again. HKEY_CURENT_USER is accessible for user only. If one
    can access user's account he can recover _any_ stored password, because
    he can do everything user can.

    The only additional reason, storing password in registry is not good, is
    password can be easily recovered by someone with physical access to hard
    drive. It's only attack vector comparing with different password store,
    for example protected storage.

    --Friday, October 14, 2005, 3:06:55 PM, you wrote to bugtraq@securityfocus.com:

    mrau> talk.google.com and are located under

    mrau> HKEY_CURRENT_USER\Software\Google\Google
    mrau> Talk\Accounts\[username]@gmail.com\pw

    -- 
    ~/ZARAZA
    Итак, я буду краток. (Твен)
    

  • Next message: Thierry Carrez: "[ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues"

    Relevant Pages

    • Re: Restoring Deleted Admin A/Cs
      ... Once an account is deleted, ... using a third-party program in an attempt to recover files. ... Search and Recover is a powerful arsenal of tools designed to instantly ... Can anyone let me know if its possible to restore the deleted account? ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS with no Administrator Certificate
      ... For lots of info about EFS, ... > user password via the administrator account). ... >>> when I tried to log into the administrator account I ... >>> recover the encrypted file; ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Recovering su password
      ... You can't recover passwords. ... that copy of the account password is stored using a simple XOR ... user's keychain may have the password to the other accounts. ... to access it in single user mode), but there is no request for a ...
      (comp.sys.mac.system)
    • Re: Arcadechips delivered/replied yet?
      ... funds from the seller's account. ... We have decided in your favor, however, we were unable to recover any ... of funds associated with a Buyer Complaint cannot be guaranteed. ...
      (rec.games.pinball)
    • Re: Arcadechips gone bad dont buy from em(IMHO)
      ... funds from the seller's account. ... We have decided in your favor, however, we were unable to recover any ... of funds associated with a Buyer Complaint cannot be guaranteed. ...
      (rec.games.pinball)