[29309] in bugtraq
GiantRat Mailer exposes PoP password
daemon@ATHENA.MIT.EDU (maninthemiddle@hushmail.com)
Fri Mar 14 14:24:55 2003
Message-Id: <200303132202.h2DM23dG061929@mailserver2.hushmail.com>
Date: Thu, 13 Mar 2003 14:02:03 -0800
To: bugtraq@securityfocus.com
From: maninthemiddle@hushmail.com
Security advisory
Issue: GiantRat Mailer exposes plain text PoP password
Date: 03/13/03
Vendor first notified: Febuary 2003
Affected versions: All (tested v3.1, 2.x, 1.x
ABOUT GiantRat Mailer:
GiantRat Mailer is an innovative email client that has settings for the sight-impaired and has optional voice prompts utilizing MS-Agent. Currently there are thousands of installations worldwide in use by the blind.
SECURITY ISSUES:
In the root of the client installation, e.g., c:\program files\giantrat, the GiantRat.ini file clearly shows user login information and the PoP password in line 18. There is no encryption whatsoever.
Risk: Obvious – the blind can’t see it but we sure can…even after a few shots of Stolichnaya.
ADVISE TO USERS:
Make sure your hard drives are secure and safe from prying eyes.
VENDOR RESPONSE: The company was made aware and has implemented an XOR encryption algorithm effective 03/13/2003 that scrambles the password in the .ini file.
Updates are available.
Regards,
maninthemiddle@hushmail.com
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
