Results 1 to 7 of 7

Thread: Bug in Trillian

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    15

    Angry Bug in Trillian

    I have recently found a bug in the Trillian messager program. When you check your email, your username and password are transfered in cleartext. For example, if I want to check hotmail:

    https://loginnet.passport.com/cgi-bi...wd=my_password

    Where my_username and my_password are usernames and passwords respectively This vulnerability would be great for packet sniffing, either local to the computer or on the network.

    -Lone1337

  2. #2
    Banned
    Join Date
    Sep 2001
    Posts
    521
    Hrm....... that definately isnt good, they need to learn how to hide this.... hehe, you should e-mail trillain about this...
    greenies for you.

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    How is this a bug? The only other way to access your hotmail account from third party software would be to strike some deal with microsoft to get into your account similar to the way msn messenger does it. So, we are either looking at some contract from trillian with microshit, or have them remain third party software, if it is that important for you not to see your username and password then download msn messenger.

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    It's called bad design, not really a bug (unless you've seen the specs for it and they say otherwise). It's been there forever too. It is also using https when the data is sent...so there should be an encrypted connection when the data is sent (hopefully).
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    Banned
    Join Date
    Sep 2001
    Posts
    521
    hah, i didnt see the HTTPS didnt really pay attention to the URL.... your safe hehe

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    It's not a bug, it's a feature since Trillian tells the user that the username and password are transmitted in the url.

    Source: Preferences in Trillian v. 0.725

    [MSN/MISC/Hotmail options]
    Automatically login to my Hotmail account (transmits username/password in url)

  7. #7
    Banned
    Join Date
    Mar 2002
    Posts
    520
    Thanks for the heads up... Greenies for you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •