Not really relavant as even when it would be encrypted with MD5 or whatever
one could just copy and use the ini file your own pc.
A bigger problem imho is that the location is known and the content is
textual, with all the recent local file reading exploits in msie this is
nasty, I was already sent sample code for this a couple of weeks ago after i
posted the xmldso thingie
--
jelmer
----- Original Message -----
From: "Evan Nemerson" <enemerson@coeus-group.com>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>;
<submissions@packetstormsecurity.org>; <news@securiteam.com>
Sent: Monday, September 09, 2002 11:20 AM
Subject: Trillian weakly encrypts saved passwords
> Software:
> Trillian 0.73, possibly other versions.
>
> Issue:
> Weak "encryption" of saved passwords.
>
> Impact:
> Decryption of saved passwords.
>
> Vendor notified:
> 3 Sept., 2002. No response.
>
> Severity:
> Medium. ish. The program only works locally, and only if the subject
> has saved their password, and really if someone can get into your AIM
> account, how earth-shattering is that??? However, since a lot of people
use
> the same password for everything...
>
> ---------------------
>
> Trillian is, according to trillian.cc, "...everything you need for instant
> messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger,
Yahoo!
> Messenger and IRC in a single, sleek and slim interface."
>
> Upon examination of the Trillian directory (which defaults to C:\Program
> Files\Trillian\ ), it appears that passwords are stored in ini files that
are
> located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
> encrypted using a simple XOR with a key apparently uniform throughout
every
> installation.
>
> The attached program takes, as command line argument(s), path(s) to these
INI
> files. It will then display a list of usernames, "encrypted" passwords,
and
> plaintext passwords.
>
>
> Evan Nemerson
> enemerson@coeus-group.com
> http://www.coeus-group.com
>
>
>
>
