Printable View
I have recently found a bug in the Trillian messager program. When you check your email, your username and password are transfered in cleartext. For example, if I want to check hotmail:
https://loginnet.passport.com/cgi-bi...wd=my_password
Where my_username and my_password are usernames and passwords respectively :p This vulnerability would be great for packet sniffing, either local to the computer or on the network.
-Lone1337
Hrm....... that definately isnt good, they need to learn how to hide this.... hehe, you should e-mail trillain about this...
greenies for you.
How is this a bug? The only other way to access your hotmail account from third party software would be to strike some deal with microsoft to get into your account similar to the way msn messenger does it. So, we are either looking at some contract from trillian with microshit, or have them remain third party software, if it is that important for you not to see your username and password then download msn messenger.
It's called bad design, not really a bug (unless you've seen the specs for it and they say otherwise). It's been there forever too. It is also using https when the data is sent...so there should be an encrypted connection when the data is sent (hopefully).
hah, i didnt see the HTTPS didnt really pay attention to the URL.... your safe :) hehe
It's not a bug, it's a feature since Trillian tells the user that the username and password are transmitted in the url.
Quote:
Source: Preferences in Trillian v. 0.725
[MSN/MISC/Hotmail options]
Automatically login to my Hotmail account (transmits username/password in url)
Thanks for the heads up... Greenies for you!