[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] pidgin OTR information leakage
- To: Michele Orru <antisnatchor@xxxxxxxxx>
- Subject: Re: [Full-disclosure] pidgin OTR information leakage
- From: Rich Pieri <ratinox@xxxxxxx>
- Date: Mon, 27 Feb 2012 20:21:10 +0000
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
> I think you didn't understood the content of the advisory.
> If there are 10 non-root users in an Ubuntu machine for example,
> if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
> can see what user 1 pidgin conversation.
This is not what the OP or CVE describe:
>> plaintext. This makes it possible for attackers that have gained
>> user-level access on a host, to listen in on private conversations
>> associated with the victim account.
Which I read as: if I compromise user1's account then I can snoop user1's DBUS
sessions. It says nothing about me being able to snoop user2's sessions. The
leading phrase about attackers gaining user-level access implies that
legitimate users on a system are not a relevant issue.
I believe that clarification is in order.
--
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/