#1
Software: Trillian 0.73, possibly other versions.
Issue: Weak "encryption" of saved passwords.
Impact: Decryption of saved passwords.
Vendor notified: 3 Sept., 2002. No response.
Severity: Medium. ish. The program only works locally, and only if the subject has saved their password, and really if someone can get into your AIM account, how earth-shattering is that??? However, since a lot of people use the same password for everything...
---------------------
Trillian is, according to trillian.cc, "...everything you need for instant messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo! Messenger and IRC in a single, sleek and slim interface."
Upon examination of the Trillian directory (which defaults to C:\Program Files\Trillian\ ), it appears that passwords are stored in ini files that are located in {Path to Trillian}\users\{WindowsLogon}. The passwords are encrypted using a simple XOR with a key apparently uniform throughout every installation.
The attached program takes, as command line argument(s), path(s) to these INI files. It will then display a list of usernames, "encrypted" passwords, and plaintext passwords.
Trillian 0.73, possibly other versions.
Issue:
Weak "encryption" of saved passwords.
Impact:
Decryption of saved passwords.
Vendor notified:
3 Sept., 2002. No response.
Severity:
Medium. ish. The program only works locally, and only if the subject
has saved their password, and really if someone can get into your AIM
account, how earth-shattering is that??? However, since a lot of people use
the same password for everything...
---------------------
Trillian is, according to trillian.cc, "...everything you need for instant
messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo!
Messenger and IRC in a single, sleek and slim interface."
Upon examination of the Trillian directory (which defaults to C:\Program
Files\Trillian\ ), it appears that passwords are stored in ini files that are
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
encrypted using a simple XOR with a key apparently uniform throughout every
installation.
The attached program takes, as command line argument(s), path(s) to these INI
files. It will then display a list of usernames, "encrypted" passwords, and
plaintext passwords.
http://www.coeus-group.com
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...