--------------------------------------
DISCLAIMER

Everything found in this tutorial is to be used for educational purposes only and to shed light on the security risks of using trillian as your chat client. I do not advocate the stealing of login information for any purposes whatsoever. If you do something illegal, i accept no responsibility for anything you may damage and hold no accountability for the things you learned. If you do not agree to adhere to the above-mentioned terms, do not read this tutorial.

---------------------------------------

Trillian, a popular multi-network chat client, has been around for quite some time. Unfortunately, the security for it is horrible. I've emailed them once or twice regarding this problem and have not gotten a response from them. I started cracking trillian's password security probably a few months ago and just looked up some stuff on the HD today and found the old project plus my password finding table. Well, i wrote a program in euphoria that helped to speed up the process of cracking trillian. It uses a modified form of sendkeys.ew (email me for a copy).

Some background:
First let's talk a little bit about how trillian encodes passwords. It stores the encrypted form in hex digits (it's in an ini file). From what i've gathered, the only things that are processed are the character and its location. Note that the encoded string is twice as long as your password. By observation, every two encoded digits represent a single character in the password.

Well, now, how do we get at these encrypted passwords? They're stored in the appropriate ini files. The password for a trillian profile is stored in your trillian folder in the file \users\global\profiles.ini. In that file, you are presented with some information about the profiles including their encrypted password, profile name, and other things like autologin. Well, if you want to hijack a trillian account using that computer, all you need to do is simply set the Automatic Login variable to 1. You bypass the login altogether.

Now, if they don't auto-login to anything else, you can tweak the entries in \users\%profile% in the aim.ini, yahoo.ini, and msn.ini. Now, say you didn't want to just access the account from the cheap autologin method, but want to get the password for it. Well, it's frighteningly easy to do.

Steps for cracking:
1) Create a blank account
2) Give it a password of a single character repeated however many times you want
3) Login and then record the encrypted password that's in profiles.ini
4) Exit trillian
5) Reload trillian, enter the old repeated character and click Edit
6) Now, push the Clear button and enter another repeated character for your password
7) Click the save button and type in the repeated character again to verify
8) Repeat steps 3 through 7 until you've collected lists of all the characters you want

Well, that was awful easy wasn't it? A bit time consuming if you don't make a program to help you with it, but still, very easy. So, let's say we wanted to crack a password using this list (i recommend using an editor like PFE or Emacs when doing this because they'll stay in the column they're in as you move down). We'd look at the first two digits in the encoded string and try to match them against the first two digits in one of the above strings. If you find a match, the character to the left of the string is the character that was encoded. Do this with the next two digits of your string and match them against the 3rd and 4th digits of the above strings of digits. Do this until you have processed every pair of digits and you'll have the password.

Wow, that was really easy wasn't it? Kinda scary, huh?

Problems:
Well, poor security is always a problem, but, trillian, being the multi-network chat client that it is, stores passwords for all sorts of other services. Because of this, if a user was using trillian, someone could install a program to leech all of the login information stored in the computer and then relay it back to whoever wanted it. Accounts could be hijacked left and right. That's bad, very bad. So, if you love your privacy then either lock down trillian while you're not using it, or just don't use trillian at all. Trillian can be found at http://www.trillian.cc for anyone that is interested in checking this out for themselves.

All tests were done on Trillian Basic and i am not aware of this vulnerability in Trillian Pro, but it's likely that it exists there as well. If anyone could verify this for me, mail me at code_x@phreaker.net

[EDIT] Removed the character lists as they really gave no informative value compared to the rest of the article. One could regenerate the list using the steps above, but, after rethinking the post, I feel that generally the pre-made list would never be used by anyone with good intentions and that it was somewhat irresponsible to post it. In the future, i will refrain from writing actual solution tables in the post as they will generally tend more towards misuse than education.[/EDIT]