[24508] in bugtraq
Re: Hotline Client Plain password vuln.
daemon@ATHENA.MIT.EDU (macdaddy@neo.pittstate.edu)
Fri Mar 1 20:58:05 2002
From: macdaddy@neo.pittstate.edu
Date: Fri, 1 Mar 2002 00:33:35 -0600 (CST)
To: Rense Buijen <Rense.Buijen@dct-mail.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <F48061E826461547AB8E0EC916569979022722@AD101.dct.be>
Message-ID: <Pine.LNX.4.10.10203010030570.21558-100000@neo.pittstate.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
The Mac client dates back to around the Fall of 1997 and it has always
done that. All of Hotline's communication is plain text so I imagine the
authors figured there wasn't a need for encryption. Just store the file
in a secure place like in your personal profile directory and you should
be fine. I see it as no more insecure than a Netscape bookmarks file in
which you put your userid/passwd in a saved URL.
Justin
--
Justin Shore Pittsburg State University
Network & Systems Manager Kelce 157Q
Office of Information Systems Pittsburg, KS 66762
Voice: (620) 235-4606 Fax: (620) 235-4545
http://www.pittstate.edu/ois/
"Time spent tightening security at your site is best spent before a
break-in occurs. Never believe that your site is too small or of too
little consequence. Start out by being wary, and you will be more prepared
when the inevitable attack happens."
-- "Sendmail, 2nd Edition" by Bryan Costales & Eric Allman for O'Reilly
On Thu, 28 Feb 2002, Rense Buijen wrote:
>
> Hello,
>
> I am using Hotline Client 1.8.5 from Hotline Communications Ltd on a
> windows XP platform. In this client you have the options to save
> bookmarks so you can easily connect to your sites. When I was looking
> around in the "Bookmarks" dir (program files\hotline communications ltd)
> I saw that the bookmarks store your login, password and host in
> plaintext although it is a binary file. Has this been mentioned before?
> Is this normal or just a flaw from the creators?
>
> Cheers,
>
> Rens
>
