This bug has been known for at least a few months. Nothing new here... http://lists.insecure.org/vuln-dev/2002/Jun/0060.html http://profiles.yahoo.com/absolut_contagion http://gsa.creighton.edu AIM - absolutxpsycho Yahoo! - absolut_contagion ICQ - 1363187 MSN - r00t@creighton.edu -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ G e* h- r++ x+ ------END GEEK CODE BLOCK------ -----Original Message----- From: Evan Nemerson [mailto:enemerson@coeus-group.com] Sent: Monday, September 09, 2002 4:20 AM To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org; submissions@packetstormsecurity.org; news@securiteam.com Subject: Trillian weakly encrypts saved passwords Software: Trillian 0.73, possibly other versions. Issue: Weak "encryption" of saved passwords. Impact: Decryption of saved passwords. Vendor notified: 3 Sept., 2002. No response. Severity: Medium. ish. The program only works locally, and only if the subject has saved their password, and really if someone can get into your AIM account, how earth-shattering is that??? However, since a lot of people use the same password for everything... --------------------- Trillian is, according to trillian.cc, "...everything you need for instant messaging. Connect to ICQR, AOL Instant Messenger(SM), MSN Messenger, Yahoo! Messenger and IRC in a single, sleek and slim interface." Upon examination of the Trillian directory (which defaults to C:\Program Files\Trillian\ ), it appears that passwords are stored in ini files that are located in {Path to Trillian}\users\{WindowsLogon}. The passwords are encrypted using a simple XOR with a key apparently uniform throughout every installation. The attached program takes, as command line argument(s), path(s) to these INI files. It will then display a list of usernames, "encrypted" passwords, and plaintext passwords. Evan Nemerson enemerson@coeus-group.com http://www.coeus-group.com