September 19th, 2002

lookin' good

From the Windows & .Net Magazine Network Magazine Update, 9/19

Since I use Trillian and recommend it, I thought I'd post this.

This is not an "over the wire" exploit--however, if you share you machine with others they could use this technique by compiling the sample code and running it on your machine to discover your IM passwords...

* WEAK PASSWORD ENCRYPTION VULNERABILITY IN CERULEAN STUDIOS' TRILLIAN INSTANT MESSENGER
A vulnerability exists in the Trillian Instant Messaging (IM) client that can let an attacker exploit a weakness in the encryption scheme the software uses to store user authentication credentials. The software uses exclusive OR (XOR) encryption with the same static key for every installation to encrypt these credentials. A local attacker can exploit this weakness to gain access to another user's IM credentials. The vendor, Cerulean Studios, has not issued a fix or patch for this vulnerability. For a detailed explanation of the risks and proof-of-concept code, be sure to visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26690