Re: Trillian weakly encrypts saved passwords

[Mike Benham <moxie () thoughtcrime org>]

I think you'll find that there isn't really a secure way to store
passwords locally.  I think Trillian has done the right thing here by
obfuscating saved passwords to prevent casual shoulder-surfing.

Trillian could use PBKDF2 to save the passwords locally, but then you'd
have to enter a password to retrieve your saved password.  If you have
reason to worry about the security of your saved password, don't save it.

- Mike

--
http://www.thoughtcrime.org

On Mon, 9 Sep 2002, Evan Nemerson wrote:

> Software:
> Trillian 0.73, possibly other versions.
>
> Issue:
> Weak "encryption" of saved passwords.
>
> Impact:
> Decryption of saved passwords.
>
> Vendor notified:
> 3 Sept., 2002. No response.
>
> Severity:
> Medium. ish. The program only works locally, and only if the subject
> has saved their password, and really if someone can get into your AIM
> account, how earth-shattering is that??? However, since a lot of people use
> the same password for everything...
>
> ---------------------
>
> Trillian is, according to trillian.cc, "...everything you need for instant
> messaging. Connect to ICQ?, AOL Instant Messenger(SM), MSN Messenger, Yahoo!
> Messenger and IRC in a single, sleek and slim interface."
>
> Upon examination of the Trillian directory (which defaults to C:\Program
> Files\Trillian\ ), it appears that passwords are stored in ini files that are
> located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
> encrypted using a simple XOR with a key apparently uniform throughout every
> installation.
>
> The attached program takes, as command line argument(s), path(s) to these INI
> files. It will then display a list of usernames, "encrypted" passwords, and
> plaintext passwords.
>
>
> Evan Nemerson
> enemerson () coeus-group com
> http://www.coeus-group.com