Full Disclosure mailing list archives
Re: Google Talk cleartext credentials in process memory
From: pagvac <unknown.pentester () gmail com>
Date: Tue, 29 Nov 2005 10:22:00 +0000
Personally I only tested the "patched" version by searching for the ASCII (decimal) representation of my own password. In other words, I searched for "mypassword" with a hex editor, rather than its hexadecimal representation "6d7970617373776f7264" If what you're saying is that all Google did is change the cleartext password to its hexadecimal representation then you might be completely right as I haven't tested this myself. Anyways, if that's the case, then shame on Google for such a poor attempt of obfuscation. On 11/29/05, 6ackpace <6ackpace () gmail com> wrote:
Hi, If i am right Google Talk Beta Messenger cleartext credentials in process memory still exist on the current version. googles answer for this issue: plain char -> hex char 6ackpace On 11/29/05, Jaroslaw Sajko <sloik () parareal net> wrote:pagvac wrote:Title: Google Talk Beta Messenger cleartext credentials in processmemoryDescription Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005 (two days after the release of Google Talk) and has already been patched by Google. This issue would occur regardless of whether the "Save Password" feature was enabled or not.The same issue concerns many applications, ie. Gadu-Gadu - another instant messenger. In my opinion such "vulnerabilities" are not worthy publishing (for Gadu-Gadu we have not published this kind of software behaviour) because if you can dump other user process or trick him to execute any code then reading the password from the process memory is only one of many things which you can do. regards, js _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
-- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust -- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Talk cleartext credentials in process memory pagvac (Nov 28)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory 6ackpace (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory pagvac (Nov 29)
- Re: Google Talk cleartext credentials in process memory 6ackpace (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory pagvac (Nov 29)
- Re: Google Talk cleartext credentials in process memory Stelian Ene (Nov 29)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory Nasko Oskov (Nov 29)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory Georgi Guninski (Nov 29)
- Re: Google Talk cleartext credentials in process memory Kurt Grutzmacher (Nov 29)
- Re: Google Talk cleartext credentials in processmemory Brian Dessent (Nov 29)
- Re: Google Talk cleartext credentials in processmemory Kurt Grutzmacher (Nov 30)