[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Trillian Ver 3.1 saves password's in plain Text
- To: "'security curmudgeon'" <jericho@xxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: RE: Trillian Ver 3.1 saves password's in plain Text
- From: "Darren Pilgrim" <dmp@xxxxxxxxxxxx>
- Date: Tue, 2 Aug 2005 15:20:40 -0700
From: security curmudgeon [mailto:jericho@xxxxxxxxxxxxx]
> : I was playing around with Trillian Pro 3.1 Build 121 and noticed
> : a very disturbing behavior when using it to check my yahoo mail.
> :
> : When you choose the option to check your yahoo email from
> : Trillian (The little connection ball -> Check Yahoo Mail) it
> : creates a temp file in the <Install
> : Directory>\users\default\cache with a random name that contains
> : the yahoo password in *clear text* and this file is world
> : readable. This would be somewhat ok if the file was deleted as
> : soon as the login was done but the file just sits there till you
> : exit out of trillian. Logging out doesn't erase the file. I have
> : watched the file exist on my system for over two weeks.
> :
> : I have duplicated this with Trillian 3.0 Basic and Pro also.
> : Tested on Windows XP Pro and Windows 2000.
>
> I have Trillian Pro 3.1 Build 121 on Windows XP and can't
> duplicate this behavior.
Did you use the "Check Yahoo! Mail..." function?
I'm running v3.1 Basic, Build 121, running on Windows XP Pro SP2. When
I started Trillian, there were just image files in the cache directory
as you describe. When I used the "Check Yahoo! Mail" function as
described by the OP, an HTML file was created in the cache folder. The
contents of the file is a form containing, among other information,
these lines:
username='<my Yahoo! username in plaintext>';
password='<my Yahoo! password in plaintext>';
The filename used is insufficiently random to provide any real benefit.
The file names used (in order used) were:
sfd27.html
sfd67.html
sfd96.html
sfd82.html
sfd36.html
sfd3.html
I also checked this behavior with MSN and AIM:
With the "Check Hotmail..." function, a temporary HTML form file is also
created but the Passport login uses a hash-based authentication
mechanism. The temp file is similarly long-lived, but the hash is
different each time a new temp file is created.
AIM's "Check AOL Mail" function didn't result in the creation of a temp
file like those used for Yahoo! and MSN. I don't have an AOL mail
account and that may have been a factor.
I do agree that the temp files are poor implementation. There's no
reason to store such single-use information on disk. But then I suppose
this is fairly moot, since all of the passwords are stored as a
reversible hash in static files in the user's directory.