Hi Suramya,
You are correct. It looks like Trillian creates an HTML page that tries to
accomplish the login but it doesn't work anyway. Yahoo's login mechanism
isn't a simple form submit.
Yet again, another poorly designed application. Now I wonder how it stores
acct passwords in general. However, it does remove the file when Trillian is
closed.
-Bond
-----Original Message-----
From: Suramya Tomar [mailto:security@xxxxxxxxxxx]
Sent: Saturday, July 30, 2005 9:49 PM
To: bond.masuda@xxxxxxxxxx
Subject: Re: Trillian Ver 3.1 saves password's in plain Text
Hi,
I tested it on a new install with no changes made to the default config.
The steps I followed were as follows:
1. Install Trillian Pro Trial
2. Click on Trillian -> Manage My Connections
3. Click on the 'Add new Connection' button
4. Choose Yahoo from the list that pops up
5. Enter your yahoo username and password
6. Click on connect
7. Click on Close
8. Click on the Little red ball in Trillian
9. Choose 'Check Yahoo Mail'
Now a browser window should open up with your yahoo email account open.
If you are quick enough you will see that the browser opens a local html
file before transfering to the yahoo account. This is the file you are
looking for.
It is created under the default user directory. On my system it was
created in the C:\Program Files\Trillian\users\default\cache directory.
and has my username/password in plain text in it.
Try it out and let me know if you still have problems duplicating it.
Thanks,
Suramya
HI Suramya,
I tried to verify this on 3.0 b121 too, but I cannot duplicate. The only
files I find in the cache directory are png images and some html files
that
are simply links to the yahoo SSL login page. There must be some other
setting that is different from yours than mines. Perhaps we can figure
this
out together? Going on your word that this vulnerability exists, I'm
thinking the conditions to replicate it are more specific.
Sincerely,
-Bond Masuda
Security Consultant, CISSP
-------------------------------------
JL Bond Consulting / www.JLBond.com
Tel: 619.890.7360
Email: bond.masuda@xxxxxxxxxx