From: security curmudgeon [mailto:jericho@xxxxxxxxxxxxx] > : I was playing around with Trillian Pro 3.1 Build 121 and noticed > : a very disturbing behavior when using it to check my yahoo mail. > : > : When you choose the option to check your yahoo email from > : Trillian (The little connection ball -> Check Yahoo Mail) it > : creates a temp file in the <Install > : Directory>\users\default\cache with a random name that contains > : the yahoo password in *clear text* and this file is world > : readable. This would be somewhat ok if the file was deleted as > : soon as the login was done but the file just sits there till you > : exit out of trillian. Logging out doesn't erase the file. I have > : watched the file exist on my system for over two weeks. > : > : I have duplicated this with Trillian 3.0 Basic and Pro also. > : Tested on Windows XP Pro and Windows 2000. > > I have Trillian Pro 3.1 Build 121 on Windows XP and can't > duplicate this behavior. Did you use the "Check Yahoo! Mail..." function? I'm running v3.1 Basic, Build 121, running on Windows XP Pro SP2. When I started Trillian, there were just image files in the cache directory as you describe. When I used the "Check Yahoo! Mail" function as described by the OP, an HTML file was created in the cache folder. The contents of the file is a form containing, among other information, these lines: username='<my Yahoo! username in plaintext>'; password='<my Yahoo! password in plaintext>'; The filename used is insufficiently random to provide any real benefit. The file names used (in order used) were: sfd27.html sfd67.html sfd96.html sfd82.html sfd36.html sfd3.html I also checked this behavior with MSN and AIM: With the "Check Hotmail..." function, a temporary HTML form file is also created but the Passport login uses a hash-based authentication mechanism. The temp file is similarly long-lived, but the hash is different each time a new temp file is created. AIM's "Check AOL Mail" function didn't result in the creation of a temp file like those used for Yahoo! and MSN. I don't have an AOL mail account and that may have been a factor. I do agree that the temp files are poor implementation. There's no reason to store such single-use information on disk. But then I suppose this is fairly moot, since all of the passwords are stored as a reversible hash in static files in the user's directory.
