Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Getting stored passwords in plain text from CheetaChat

From: b0f www.b0f.net <woot_woot_root () yahoo co uk>
Date: 13 Feb 2003 18:02:10 -0000


A bug exists in CheetaChat which lets an attacker with access to the
yaliases.dat 
to get users yahoo passwords in plain text.

I. BACKGROUND
CheetaChat is a free and full-featured chatting client that works with
Yahoo! Chat, CheetaServ and Ichat sites. It lets users use solid
tones,fades, custom fonts and styles! Share your music and files with
friends . CheetaChat is a very popular chat client for Yahoo! Chat!. It
can be downloaded from www.cheetachat.com

II. DESCRIPTION

When users add there yahoo id to cheetachat it gets encrypted and stored
in a file called yaliases.dat which is stored in the folder CheetaChat
was installed to. An attacker who can get access to the yaliases.dat
file can easly retrive the users password's in plain text.

Example: If the attacker loads this file up with cheetachat they can then
get the users password by doing the following 1. log into cheetachat
using the id. 2. click on the settings menu then preferences then once
in there check the box that says Use internal Browser then click ok. 3.
Now click on the Chat menu and click Account/Password . After this the
internal browser will load up and send login and pass to the yahoo login
, If you look at the very end of the address box you will see the users
password in plain text like passwd= then the pass in plain text.


III. ANALYSIS
An attacker able to obtain the target users yaliases.dat file can easily
obtain there yahoo id and password. This could give the attacker access
to the targets full yahoo account including email ,  personal details
and  if the user used the pay direct service on yahoo the attacker could
get credit card information.  This is of special concern in shared
environments.

IV. DETECTION

This is vulnerable in all versions on cheetachat including the latest
version 6.5.10. I tested this on WindowsXP home with latest version of
cheetachat.

V. VENDOR
I once contacted the vendor about this problem several months ago and
never got a reply and the problem has never been fixed since.

Regards
b0f  (Alan M)
www.b0f.net
b0f () b0f net
Previous By Date Next
Previous By Thread Next

Current thread: