May 26th, 2002, 01:22 PM
Bug in Trillian
I have recently found a bug in the Trillian messager program. When you check your email, your username and password are transfered in cleartext. For example, if I want to check hotmail:
Where my_username and my_password are usernames and passwords respectively This vulnerability would be great for packet sniffing, either local to the computer or on the network.
May 26th, 2002, 05:07 PM
Hrm....... that definately isnt good, they need to learn how to hide this.... hehe, you should e-mail trillain about this...
greenies for you.
May 26th, 2002, 05:22 PM
How is this a bug? The only other way to access your hotmail account from third party software would be to strike some deal with microsoft to get into your account similar to the way msn messenger does it. So, we are either looking at some contract from trillian with microshit, or have them remain third party software, if it is that important for you not to see your username and password then download msn messenger.
May 26th, 2002, 05:28 PM
It's called bad design, not really a bug (unless you've seen the specs for it and they say otherwise). It's been there forever too. It is also using https when the data is sent...so there should be an encrypted connection when the data is sent (hopefully).
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
May 26th, 2002, 05:39 PM
hah, i didnt see the HTTPS didnt really pay attention to the URL.... your safe hehe
May 26th, 2002, 05:51 PM
It's not a bug, it's a feature since Trillian tells the user that the username and password are transmitted in the url.
Source: Preferences in Trillian v. 0.725
Automatically login to my Hotmail account (transmits username/password in url)
May 26th, 2002, 05:54 PM
Thanks for the heads up... Greenies for you!