How to save passwords more secure?!

skyout at wired-security.net skyout at wired-security.net
Sat Jun 21 20:45:54 EDT 2008 

Dear Pidgin developers,

I am writing to you because of something I would consider a
more or less security vulnerability. It is nothing, that is
exploitable remotely or that I would consider an exploit at
all, but I would like to talk about it with you because it
could be designed a better way.

First off: I very much respect your work and this email shall
be in NO way be any offense against your work as developers.
So please answer as respectful as I write to you. Thanks.

So here it comes: ---

As we all know Pidgin saves its informations in .purple, this
directory is located at the following systems locations:

Unix/Linux/BSD... -> /home/.../.purple
Windows: C:\Users\...\AppData\Roaming\.purple

In this directory we have the following file, that makes me
worry: accounts.xml, that has the following text, for example
in my case it looks like this:

--- SNIP ---
<?xml version='1.0' encoding='UTF-8' ?>
<account version='1.0'>
<account>
<protocol>prpl-icq</protocol>
<name>300852578</name>
<password>*</password>
<alias>SkyOut</alias>
[...]
<account>
<protocol>prpl-msn</protocol>
<name>rooter05 at freenet.de</name>
<password>*</password>
<alias>SkyOut</alias>
[...]
<account>
<protocol>prpl-jabber</protocol>
<name>cr3x at jaim.at/0x00</name>
<password>*</password>
<alias>SkyOut</alias>
[...]
--- SNIP ---

The passwords for the accounts are saved in cleartext, which I
would consider insecure. I have written a program called pidgindump.rb,
that gets the informations out of this file + blist.xml, which looks
like this:

--- SNIP ---
<?xml version='1.0' encoding='UTF-8' ?>
<purple version='1.0'>
<blist>
<group name='Buddies'/>
<group name='MSN_2'>
<setting name='collapsed' type='bool'>0</setting>
<contact>
<buddy account='*' proto='prpl-msn'>
<name>*@*.*</name>
<alias>*</alias>
<setting name='buddy_icon' type='string'>*.png</setting>
<setting name='icon_checksum' type='string'>*</setting>
<setting name='last_seen' type='int'>*</setting>
</buddy>
</contact>
[...]
--- SNIP ---

The program can be found here:
http://wired-security.net/releases/others/pidgindump.rb.txt ...

With some simple ruby routines and regex you can get the passwords
of the accounts, for example for ICQ:

--- SNIP ---
          if line =~ /\<protocol\>prpl-icq\<\/protocol\>/i
            logins.puts "-----------"
            logins.puts "ICQ ACCOUNT"
            logins.puts "-----------"
          end

          if line =~ /\<name\>[0-9]+\<\/name\>/i
            line = line.split('>')
            line = line.fetch(1)
            line = line.split('<')
            line = line.fetch(0)
            logins.puts "LOGIN: #{line}"
          end

          if line =~ /\<password\>[a-zA-Z0-9]+\<\/password\>/i
            line = line.split('>')
            line = line.fetch(1)
            line = line.split('<')
            line = line.fetch(0)
            logins.puts "PASSWORD: #{line}"
            logins.puts ""
          end
--- SNIP ---

Not much different for getting the ICQ UINs out of blist.xml:

--- SNIP ---
          if line =~ /\<name\>[0-9]+\<\/name\>/i
            line = line.split('>')
            line = line.fetch(1)
            line = line.split('<')
            line = line.fetch(0)
            icq.puts "#{line}"
          end
--- SNIP ---

This is nothing problematic until the following point: A users computer
gets compromised by a virus. The virus could simply read out all the ICQ
UINs and can be quite sure the other ICQ user (those the UIN belongs to)
has granted access to OUR user to write messages. So the whole concept
would
end up in a worm, that uses those two files (accounts.xml / blist.xml) to
get victims. The worm could silently establish a connection to the ICQ
network and send instant messenges to the other users. They will most
likely
trust them and maybe follow a link to download the worm or to a webpage
attacking the victim via exploits or whatever the worms authors fantasy
is capable of.

-----------------------------------------------------------------------------

So my question is: Isn't there a more secure and better way to save
passwords
(and if possible the buddylist) to ensure, that an attacker having access
to
the victims computer can't simply read them out?

Just a suggestion: Would it work to make something like a hash algorithm
(maybe
use an existing like SHA-512) or what I would consider even better: How
about
having a master password, that decrypts the passwords?

I have five accounts in my Pidgin. Typing five passwords all the time I log
into
my messenger to start chatting would really suck, but one password to
decrypt all
the others, that would be still a good usability!

-----------------------------------------------------------------------------

I am hoping for your response... Reach me over: skyout at wired-security.net

I am very busy, but I don't exclude the possibility to work with you on
that issue
and help developing Pidgin, but that is only theory first.

Thanks for your attention,
SkyOut

More information about the Devel mailing list