Keith Phillips wrote: >The issue arises when you click the link to your Yahoo mail under "My >Mail Accounts". This creates an html file in the directory discussed >below which contains user name and clear text password. > >KP > >-----Original Message----- >From: security curmudgeon [mailto:jericho@xxxxxxxxxxxxx] >Sent: Tuesday, August 02, 2005 3:51 AM >To: bugtraq@xxxxxxxxxxxxxxxxx >Cc: Suramya Tomar >Subject: Re: Trillian Ver 3.1 saves password's in plain Text > > >Hi Suramya, > >: I was playing around with Trillian Pro 3.1 Build 121 and noticed a >very >: disturbing behavior when using it to check my yahoo mail. >: >: When you choose the option to check your yahoo email from Trillian >(The >: little connection ball -> Check Yahoo Mail) it creates a temp file in >: the <Install Directory>\users\default\cache with a random name that >: contains the yahoo password in *clear text* and this file is world >: readable. This would be somewhat ok if the file was deleted as soon as >: the login was done but the file just sits there till you exit out of >: trillian. Logging out doesn't erase the file. I have watched the file >: exist on my system for over two weeks. >: >: I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on >: Windows XP Pro and Windows 2000. > >I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this >behavior. I have a YIM, ICQ, AIM and several Jabber accounts. My cache >directory has several files in it; buddy type icon files for various >AIM/YIM users, graphics for plugins, etc. In fact, every single file in >there is JPEG, GIF or PNG. > >Doing a case insensitive grep through all the files, I can't find any >trace of any of my passwords in any file in this directory. All of the >files are dated 08/01/2005 shortly after I started Trillian up after >returning from out of town. > >Could this occur the first time you set up a specific protocol/account, >and that cache file is erased upon Trillian restart? If so, that would >still be an issue, although considerably less severe. If not that, is >there anything else being done differently here? > >: I have attempted to contact Cerulean Studios multiple times before >: releasing this using their webform, email and forums over the past >month >: but havn't heard anything back from them. My last attempt to contact >: them was on 06/13/2005. Since I havn't heard anything from them I am >: sending this to Bugtraq. > >Before 3.x (i think), Trillian had a way to submit bugs/feedback from >within the program, and all of my reports were responded to within 24 >hours. Since 3.x I believe that feature is gone. Doesn't help you, just >a side comment =) Would be nice to see Cerulean bring this back. > > > > I'd just like to add that, while it may not be relevant, but Gaim does the same thing (in Window$). It stores the passwords in plain text, in the User accounts directory (ie. c:\documents and settings\user123). More on that here. <http://gaim.sourceforge.net/plaintextpasswords.php> -- Patrick M. /* EOF */
