Re: pidgin OTR information leakage
- From: Jann Horn <jannhorn@xxxxxxxxxxxxxx>
- Date: Mon, 27 Feb 2012 18:27:14 +0100
2012/2/25 Dimitris Glynos <dimitris@xxxxxxxxxxxxxxx>:
Pidgin transmits OTR (off-the-record) conversations over DBUS in
plaintext. This makes it possible for attackers that have gained
user-level access on a host, to listen in on private conversations
associated with the victim account.
Basically, you're saying that if I have the rights of a user on a
machine, I can access the private conversations of that user? Ooooh
no. Well, I can also copy his keyfiles, no? And I can alter his
settings. And spawn fake "Update didn't work, please enter root
password to proceed" windows. I could alter his ~/.bashrc so that
whenever he launches "sudo" or "su", a script is launched instead that
grabs his password. So, please, what's the point?
- Follow-Ups:
- Re: [Full-disclosure] pidgin OTR information leakage
- From: Michele Orru
- Re: [Full-disclosure] pidgin OTR information leakage
- References:
- pidgin OTR information leakage
- From: Dimitris Glynos
- pidgin OTR information leakage
- Prev by Date: Wolf CMS v0.7.5 - Multiple Web Vulnerabilities
- Next by Date: [SECURITY] [DSA 2418-1] postgresql-8.4 security update
- Previous by thread: pidgin OTR information leakage
- Next by thread: Re: [Full-disclosure] pidgin OTR information leakage
- Index(es):
Relevant Pages
|
