[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Trillian Ver 3.1 saves password's in plain Text



From: security curmudgeon [mailto:jericho@xxxxxxxxxxxxx] 
> : I was playing around with Trillian Pro 3.1 Build 121 and noticed
> : a very disturbing behavior when using it to check my yahoo mail.
> : 
> : When you choose the option to check your yahoo email from
> : Trillian (The little connection ball -> Check Yahoo Mail) it
> : creates a temp file in the <Install
> : Directory>\users\default\cache with a random name that contains
> : the yahoo password in *clear text* and this file is world 
> : readable. This would be somewhat ok if the file was deleted as
> : soon as the login was done but the file just sits there till you
> : exit out of trillian. Logging out doesn't erase the file. I have
> : watched the file exist on my system for over two weeks.
> : 
> : I have duplicated this with Trillian 3.0 Basic and Pro also.
> : Tested on Windows XP Pro and Windows 2000.
> 
> I have Trillian Pro 3.1 Build 121 on Windows XP and can't
> duplicate this behavior.

Did you use the "Check Yahoo! Mail..." function?

I'm running v3.1 Basic, Build 121, running on Windows XP Pro SP2.  When
I started Trillian, there were just image files in the cache directory
as you describe.  When I used the "Check Yahoo! Mail" function as
described by the OP, an HTML file was created in the cache folder.  The
contents of the file is a form containing, among other information,
these lines:

username='<my Yahoo! username in plaintext>';
password='<my Yahoo! password in plaintext>';

The filename used is insufficiently random to provide any real benefit.
The file names used (in order used) were:

sfd27.html
sfd67.html
sfd96.html
sfd82.html
sfd36.html
sfd3.html

I also checked this behavior with MSN and AIM:

With the "Check Hotmail..." function, a temporary HTML form file is also
created but the Passport login uses a hash-based authentication
mechanism.  The temp file is similarly long-lived, but the hash is
different each time a new temp file is created.

AIM's "Check AOL Mail" function didn't result in the creation of a temp
file like those used for Yahoo! and MSN.  I don't have an AOL mail
account and that may have been a factor.

I do agree that the temp files are poor implementation.  There's no
reason to store such single-use information on disk.  But then I suppose
this is fairly moot, since all of the passwords are stored as a
reversible hash in static files in the user's directory.