Trillian stores passwords insecurely using weak encryption algorithm
| trillian-insecure-password-storage (10092) |  Low Risk |
Description:
Trillian stores user passwords in easily guessable .ini files in the Trillian directory using a weak encryption algorithm. A local attacker could recover these files and easily recover the credentials to the victim's instant messaging accounts. In addition, an attacker could copy the .ini files to their own Trillian folder and automatically obtain access to all of the victim's messaging accounts without having to decrypt the credentials.
Consequences:
Obtain Information
Remedy:
No remedy available as of July 9, 2011.
References:
- BugTraq Mailing List, Mon Sep 09 2002 - 04:20:04 CDT : Trillian weakly encrypts saved passwords .
- BugTraq Mailing List, Mon Sep 09 2002 - 13:26:42 CDT: RE: Trillian weakly encrypts saved passwords.
- BugTraq Mailing List, Mon Sep 09 2002 - 13:29:14 CDT: Re: Trillian weakly encrypts saved passwords.
- BugTraq Mailing List, Mon Sep 09 2002 - 16:34:35 CDT: Re: Trillian weakly encrypts saved passwords.
- BID-5677: Trillian Instant Messaging Credential Encryption Weakness
- CVE-2002-2162: Cerulean Studios Trillian 0.73 and earlier use weak encrypttion (XOR) for storing user passwords in .ini files in the Trillian directory, which allows local users to gain access to other user accounts.
Platforms Affected:
- Trillian Trillian 0.73
Reported:
Sep 09, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net