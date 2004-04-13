Spyware, Viruses, & Security forum

Trillian Saves Yahoo! Password in Plain Text to Local Temporary File in Certain Cases

by Donna Buenaventura / April 13, 2004 4:04 PM PDT

SecurityTracker Alert ID: 1009745
CVE Reference: GENERIC-MAP-NOMATCH
Date: Apr 13 2004

Impact: Disclosure of authentication information

Exploit Included: Yes

Description: Rafel Ivgi (The-Insider) reported a vulnerability in Trillian (when used with Yahoo! Messenger services). A local user can obtain the target user's password.

It is reported that when a Yahoo! Messenger user receives an e-mail via Yahoo! mail, the system will display a pop-up window to prompt the target user to check their mail. If the prompt is selected, the system reportedly writes an HTML file containing the target user's Yahoo! password to the Windows temporary folder. The system also reportedly saves the "Remmeber me" login credentials without prompting for the user's approval. The information is transmitted without session security (i.e., over HTTP), the report said.

Impact: A local user can obtain a target user's Yahoo! password in certain cases.

Solution: No solution was available at the time of this entry.

Vendor URL: www.trillian.cc/

Cause: Access control error, State error

Underlying OS: Windows (Any)

Reported By: Rafel Ivgi

http://www.securitytracker.com/alerts/2004/Apr/1009745.html

