A bug exists in CheetaChat which lets an attacker with access to the yaliases.dat to get users yahoo passwords in plain text. I. BACKGROUND CheetaChat is a free and full-featured chatting client that works with Yahoo! Chat, CheetaServ and Ichat sites. It lets users use solid tones,fades, custom fonts and styles! Share your music and files with friends . CheetaChat is a very popular chat client for Yahoo! Chat!. It can be downloaded from www.cheetachat.com II. DESCRIPTION When users add there yahoo id to cheetachat it gets encrypted and stored in a file called yaliases.dat which is stored in the folder CheetaChat was installed to. An attacker who can get access to the yaliases.dat file can easly retrive the users password's in plain text. Example: If the attacker loads this file up with cheetachat they can then get the users password by doing the following 1. log into cheetachat using the id. 2. click on the settings menu then preferences then once in there check the box that says Use internal Browser then click ok. 3. Now click on the Chat menu and click Account/Password . After this the internal browser will load up and send login and pass to the yahoo login , If you look at the very end of the address box you will see the users password in plain text like passwd= then the pass in plain text. III. ANALYSIS An attacker able to obtain the target users yaliases.dat file can easily obtain there yahoo id and password. This could give the attacker access to the targets full yahoo account including email , personal details and if the user used the pay direct service on yahoo the attacker could get credit card information. This is of special concern in shared environments. IV. DETECTION This is vulnerable in all versions on cheetachat including the latest version 6.5.10. I tested this on WindowsXP home with latest version of cheetachat. V. VENDOR I once contacted the vendor about this problem several months ago and never got a reply and the problem has never been fixed since. Regards b0f (Alan M) www.b0f.net b0f@b0f.net
