Pidgin transmits OTR (off-the-record) conversations over DBUS in plaintext. This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account. Pidgin is a popular Instant Messenger application that runs on a wide variety of platforms including Windows and Linux. The pidgin-otr plugin enables users to communicate securely over any Instant Messenger network using the “Off-the-record” messaging protocol. If Pidgin is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages that are typed into Pidgin and messages received through Pidgin are broadcasted on DBUS. The reasoning behind this is to allow for third party applications, such as desktop widgets to process these messages (e.g. create an animation when a message arrives). However, among the messages transmitted over DBUS one also finds OTR conversations in plaintext form. This is a security problem, as the private OTR messages may leak to other (unrelated) processes that are executing with the Pidgin user’s rights. A more detailed advisory and proof-of-concept script can be found here: http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/ The Pidgin and pidgin-otr development teams have been contacted about this issue and we anticipate a fix in a coordinated future release. The Common Vulnerabilities and Exposures (CVE) project has assigned candidate name CVE-2012-1257 to this issue. Disclosure Timeline ------------------- Vendor Contact(s): December 20th, 2011 CVE assignment: February 21st, 2012 Public Disclosure: February 25th, 2012 Kind regards, Dimitris Glynos -- http://census-labs.com -- IT security research, development and services
