[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Google Talk cleartext credentials in process memory
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Google Talk cleartext credentials in process memory
- From: pagvac <unknown.pentester@xxxxxxxxx>
- Date: Tue, 29 Nov 2005 10:23:26 +0000
Jaroslaw,
thanks for your post. You're right, the same issue occurs in *many*
applications. However, any vendor that is serious about security should
at least attempt to obfuscate the credentials in the process memory (IMHO).
I just published the advisory to let the public know that Google "fixed" this
problem, that's all.
However I respect your opinion and appreciate your post.
On 11/29/05, Jaroslaw Sajko <sloik@xxxxxxxxxxxx> wrote:
> pagvac wrote:
> > Title: Google Talk Beta Messenger cleartext credentials in process memory
> >
> >
> > Description
> >
> > Google Talk stores all user credentials (username and password) in
> > clear-text in the process memory. Such vulnerability was found on
> > August 25, 2005 (two days after the release of Google Talk) and has
> > already been patched by Google.
> >
> > This issue would occur regardless of whether the "Save Password"
> > feature was enabled or not.
>
> The same issue concerns many applications, ie. Gadu-Gadu - another
> instant messenger. In my opinion such "vulnerabilities" are not worthy
> publishing (for Gadu-Gadu we have not published this kind of software
> behaviour) because if you can dump other user process or trick him to
> execute any code then reading the password from the process memory is
> only one of many things which you can do.
>
> regards,
> js
>
--
pagvac (Adrian Pastor)
www.ikwt.com - In Knowledge We Trust
--
pagvac (Adrian Pastor)
www.ikwt.com - In Knowledge We Trust
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/