<<< Date Index >>>     <<< Thread Index >>>

Re: Trillian Ver 3.1 saves password's in plain Text



Hi Bond,
Thanks for confirming this on your end. The login does work, but if you are already logged in to your yahoo account when you try to use the html file to login it doesn't work. I guess it has something to do with the recent change in yahoo's authentication check as it used to work earlier.

I am scared to even look at how it stores other passwords. Personally I prefer using gaim. Atleast that is a lot more secure and its developers seem to take security a lot more seriously.

Thanks,
 Suramya

Hi Suramya,

You are correct. It looks like Trillian creates an HTML page that tries to
accomplish the login but it doesn't work anyway. Yahoo's login mechanism
isn't a simple form submit.

Yet again, another poorly designed application. Now I wonder how it stores
acct passwords in general. However, it does remove the file when Trillian is
closed.

-Bond
-----Original Message-----
From: Suramya Tomar [mailto:security@xxxxxxxxxxx] Sent: Saturday, July 30, 2005 9:49 PM
To: bond.masuda@xxxxxxxxxx
Subject: Re: Trillian Ver 3.1 saves password's in plain Text

Hi,
  I tested it on a new install with no changes made to the default config.

The steps I followed were as follows:

1. Install Trillian Pro Trial
2. Click on Trillian -> Manage My Connections
3. Click on the 'Add new Connection' button
4. Choose Yahoo from the list that pops up
5. Enter your yahoo username and password
6. Click on connect
7. Click on Close
8. Click on the Little red ball in Trillian
9. Choose 'Check Yahoo Mail'

Now a browser window should open up with your yahoo email account open. If you are quick enough you will see that the browser opens a local html file before transfering to the yahoo account. This is the file you are looking for.

It is created under the default user directory. On my system it was created in the C:\Program Files\Trillian\users\default\cache directory. and has my username/password in plain text in it.

Try it out and let me know if you still have problems duplicating it.

Thanks,
  Suramya



HI Suramya,

I tried to verify this on 3.0 b121 too, but I cannot duplicate. The only
files I find in the cache directory are png images and some html files

that

are simply links to the yahoo SSL login page. There must be some other
setting that is different from yours than mines. Perhaps we can figure

this

out together? Going on your word that this vulnerability exists, I'm
thinking the conditions to replicate it are more specific.

Sincerely,
-Bond Masuda
Security Consultant, CISSP
-------------------------------------
JL Bond Consulting / www.JLBond.com
Tel: 619.890.7360
Email: bond.masuda@xxxxxxxxxx






--
----------------------------------------------------------
Some days you're the dog; some days you're the hydrant.
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************