Trillian stores passwords insecurely using weak encryption algorithm
| trillian-insecure-password-storage (10092) |  Low Risk |
Description:
Trillian stores user passwords in easily guessable .ini files in the Trillian directory using a weak encryption algorithm. A local attacker could recover these files and easily recover the credentials to the victim's instant messaging accounts. In addition, an attacker could copy the .ini files to their own Trillian folder and automatically obtain access to all of the victim's messaging accounts without having to decrypt the credentials.
Platforms Affected:
- Cerulean Studios, Trillian 0.73
Remedy:
No remedy available as of November 29, 2008.
Consequences:
Obtain Information
References:
- BugTraq Mailing List, Mon Sep 09 2002 - 04:20:04 CDT , Trillian weakly encrypts saved passwords at http://archives.neohapsis.com/archives/bugtraq/2002-09/0077.html.
- BugTraq Mailing List, Mon Sep 09 2002 - 13:26:42 CDT, RE: Trillian weakly encrypts saved passwords at http://archives.neohapsis.com/archives/bugtraq/2002-09/0078.html.
- BugTraq Mailing List, Mon Sep 09 2002 - 13:29:14 CDT, Re: Trillian weakly encrypts saved passwords at http://archives.neohapsis.com/archives/bugtraq/2002-09/0079.html.
- BugTraq Mailing List, Mon Sep 09 2002 - 16:34:35 CDT, Re: Trillian weakly encrypts saved passwords at http://archives.neohapsis.com/archives/bugtraq/2002-09/0092.html.
- BID-5677: Trillian Instant Messaging Credential Encryption Weakness
- CVE-2002-2162: Cerulean Studios Trillian 0.73 and earlier use weak encrypttion (XOR) for storing user passwords in .ini files in the Trillian directory, which allows local users to gain access to other user accounts.
Reported:
Sep 09, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net