Re: Trillian Ver 3.1 saves password's in plain Text

[Suramya Tomar <security@xxxxxxxxxxx>]

Hi Bond,
 Thanks for confirming this on your end. The login does work, but if 
you are already logged in to your yahoo account when you try to use the 
html file to login it doesn't work. I guess it has something to do with 
the recent change in yahoo's authentication check as it used to work 
earlier.

 I am scared to even look at how it stores other passwords. Personally 
I prefer using gaim. Atleast that is a lot more secure and its 
developers seem to take security a lot more seriously.

Thanks,
 Suramya

> Hi Suramya,
>
> You are correct. It looks like Trillian creates an HTML page that tries to
> accomplish the login but it doesn't work anyway. Yahoo's login mechanism
> isn't a simple form submit.
>
> Yet again, another poorly designed application. Now I wonder how it stores
> acct passwords in general. However, it does remove the file when Trillian is
> closed.
>
> -Bond 
>
> -----Original Message-----
> From: Suramya Tomar [mailto:security@xxxxxxxxxxx] 
> Sent: Saturday, July 30, 2005 9:49 PM
> To: bond.masuda@xxxxxxxxxx
> Subject: Re: Trillian Ver 3.1 saves password's in plain Text
>
> Hi,
>   I tested it on a new install with no changes made to the default config.
>
> The steps I followed were as follows:
>
> 1. Install Trillian Pro Trial
> 2. Click on Trillian -> Manage My Connections
> 3. Click on the 'Add new Connection' button
> 4. Choose Yahoo from the list that pops up
> 5. Enter your yahoo username and password
> 6. Click on connect
> 7. Click on Close
> 8. Click on the Little red ball in Trillian
> 9. Choose 'Check Yahoo Mail'
>
> Now a browser window should open up with your yahoo email account open. 
> If you are quick enough you will see that the browser opens a local html 
> file before transfering to the yahoo account. This is the file you are 
> looking for.
>
> It is created under the default user directory. On my system it was 
> created in the C:\Program Files\Trillian\users\default\cache directory. 
> and has my username/password in plain text in it.
>
> Try it out and let me know if you still have problems duplicating it.
>
> Thanks,
>   Suramya
>
>
>
> > HI Suramya,
> >
> > I tried to verify this on 3.0 b121 too, but I cannot duplicate. The only
> > files I find in the cache directory are png images and some html files
>
> that
>
> > are simply links to the yahoo SSL login page. There must be some other
> > setting that is different from yours than mines. Perhaps we can figure
>
> this
>
> > out together? Going on your word that this vulnerability exists, I'm
> > thinking the conditions to replicate it are more specific.
> >
> > Sincerely,
> > -Bond Masuda
> > Security Consultant, CISSP
> > -------------------------------------
> > JL Bond Consulting / www.JLBond.com
> > Tel: 619.890.7360
> > Email: bond.masuda@xxxxxxxxxx


--
----------------------------------------------------------
Some days you're the dog; some days you're the hydrant.
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************