Peter 'Happy' Thomas (happypete) wrote,
Peter 'Happy' Thomas
happypete

From the Windows & .Net Magazine Network Magazine Update, 9/19

Since I use Trillian and recommend it, I thought I'd post this.

This is not an "over the wire" exploit--however, if you share you machine with others they could use this technique by compiling the sample code and running it on your machine to discover your IM passwords...

* WEAK PASSWORD ENCRYPTION VULNERABILITY IN CERULEAN STUDIOS' TRILLIAN INSTANT MESSENGER
A vulnerability exists in the Trillian Instant Messaging (IM) client that can let an attacker exploit a weakness in the encryption scheme the software uses to store user authentication credentials. The software uses exclusive OR (XOR) encryption with the same static key for every installation to encrypt these credentials. A local attacker can exploit this weakness to gain access to another user's IM credentials. The vendor, Cerulean Studios, has not issued a fix or patch for this vulnerability. For a detailed explanation of the risks and proof-of-concept code, be sure to visit our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=26690
Subscribe

  • My tweets

    Tue, 11:00: Pulling a full 250 KW and over 1,000 miles per hour charge rate at the new Reston teslamotors #SuperCharger. @ Wieh……

  • My tweets

    Fri, 19:57: Mixed meat meatballs, sauteed vegetables, loaded mashed potatoes with da_valentine and friends @ Corolla, North Car……

  • My tweets

    Thu, 17:31: Sweet n' Spicy Pork Chops with da_valentine and shutupkat7 . Recipe and ingredients by everyplate #familydinner

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 2 comments