[26961] in bugtraq
Re: Trillian weakly encrypts saved passwords
daemon@ATHENA.MIT.EDU (Mike Benham)
Mon Sep 9 16:08:25 2002
Date: Mon, 9 Sep 2002 11:29:14 -0700 (PDT)
From: Mike Benham <moxie@thoughtcrime.org>
To: Evan Nemerson <enemerson@coeus-group.com>
In-Reply-To: <200209090140.22119.enemerson@coeus-group.com>
Message-ID: <Pine.BSO.4.33.0209091124070.5098-100000@moxie.thoughtcrime.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: 8bit
I think you'll find that there isn't really a secure way to store
passwords locally. I think Trillian has done the right thing here by
obfuscating saved passwords to prevent casual shoulder-surfing.
Trillian could use PBKDF2 to save the passwords locally, but then you'd
have to enter a password to retrieve your saved password. If you have
reason to worry about the security of your saved password, don't save it.
- Mike
--
http://www.thoughtcrime.org
On Mon, 9 Sep 2002, Evan Nemerson wrote:
> Software:
> Trillian 0.73, possibly other versions.
>
> Issue:
> Weak "encryption" of saved passwords.
>
> Impact:
> Decryption of saved passwords.
>
> Vendor notified:
> 3 Sept., 2002. No response.
>
> Severity:
> Medium. ish. The program only works locally, and only if the subject
> has saved their password, and really if someone can get into your AIM
> account, how earth-shattering is that??? However, since a lot of people use
> the same password for everything...
>
> ---------------------
>
> Trillian is, according to trillian.cc, "...everything you need for instant
> messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo!
> Messenger and IRC in a single, sleek and slim interface."
>
> Upon examination of the Trillian directory (which defaults to C:\Program
> Files\Trillian\ ), it appears that passwords are stored in ini files that are
> located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
> encrypted using a simple XOR with a key apparently uniform throughout every
> installation.
>
> The attached program takes, as command line argument(s), path(s) to these INI
> files. It will then display a list of usernames, "encrypted" passwords, and
> plaintext passwords.
>
>
> Evan Nemerson
> enemerson@coeus-group.com
> http://www.coeus-group.com
>
>
>
>
