How to save passwords more secure?!

Hylke Bons h.bons at student.rug.nl
Sat Jun 21 20:51:46 EDT 2008 

http://developer.pidgin.im/wiki/PlainTextPasswords

But thanks anyways. :)

Hylke

skyout at wired-security.net wrote:
> Dear Pidgin developers,
>
> I am writing to you because of something I would consider a
> more or less security vulnerability. It is nothing, that is
> exploitable remotely or that I would consider an exploit at
> all, but I would like to talk about it with you because it
> could be designed a better way.
>
> First off: I very much respect your work and this email shall
> be in NO way be any offense against your work as developers.
> So please answer as respectful as I write to you. Thanks.
>
> So here it comes: ---
>
> As we all know Pidgin saves its informations in .purple, this
> directory is located at the following systems locations:
>
> Unix/Linux/BSD... -> /home/.../.purple
> Windows: C:\Users\...\AppData\Roaming\.purple
>
> In this directory we have the following file, that makes me
> worry: accounts.xml, that has the following text, for example
> in my case it looks like this:
>
> --- SNIP ---
> <?xml version='1.0' encoding='UTF-8' ?>
> <account version='1.0'>
> <account>
> <protocol>prpl-icq</protocol>
> <name>300852578</name>
> <password>*</password>
> <alias>SkyOut</alias>
> [...]
> <account>
> <protocol>prpl-msn</protocol>
> <name>rooter05 at freenet.de</name>
> <password>*</password>
> <alias>SkyOut</alias>
> [...]
> <account>
> <protocol>prpl-jabber</protocol>
> <name>cr3x at jaim.at/0x00</name>
> <password>*</password>
> <alias>SkyOut</alias>
> [...]
> --- SNIP ---
>
> The passwords for the accounts are saved in cleartext, which I
> would consider insecure. I have written a program called pidgindump.rb,
> that gets the informations out of this file + blist.xml, which looks
> like this:
>
> --- SNIP ---
> <?xml version='1.0' encoding='UTF-8' ?>
> <purple version='1.0'>
> <blist>
> <group name='Buddies'/>
> <group name='MSN_2'>
> <setting name='collapsed' type='bool'>0</setting>
> <contact>
> <buddy account='*' proto='prpl-msn'>
> <name>*@*.*</name>
> <alias>*</alias>
> <setting name='buddy_icon' type='string'>*.png</setting>
> <setting name='icon_checksum' type='string'>*</setting>
> <setting name='last_seen' type='int'>*</setting>
> </buddy>
> </contact>
> [...]
> --- SNIP ---
>
> The program can be found here:
> http://wired-security.net/releases/others/pidgindump.rb.txt ...
>
> With some simple ruby routines and regex you can get the passwords
> of the accounts, for example for ICQ:
>
> --- SNIP ---
>           if line =~ /\<protocol\>prpl-icq\<\/protocol\>/i
>             logins.puts "-----------"
>             logins.puts "ICQ ACCOUNT"
>             logins.puts "-----------"
>           end
>
>           if line =~ /\<name\>[0-9]+\<\/name\>/i
>             line = line.split('>')
>             line = line.fetch(1)
>             line = line.split('<')
>             line = line.fetch(0)
>             logins.puts "LOGIN: #{line}"
>           end
>
>           if line =~ /\<password\>[a-zA-Z0-9]+\<\/password\>/i
>             line = line.split('>')
>             line = line.fetch(1)
>             line = line.split('<')
>             line = line.fetch(0)
>             logins.puts "PASSWORD: #{line}"
>             logins.puts ""
>           end
> --- SNIP ---
>
> Not much different for getting the ICQ UINs out of blist.xml:
>
> --- SNIP ---
>           if line =~ /\<name\>[0-9]+\<\/name\>/i
>             line = line.split('>')
>             line = line.fetch(1)
>             line = line.split('<')
>             line = line.fetch(0)
>             icq.puts "#{line}"
>           end
> --- SNIP ---
>
> This is nothing problematic until the following point: A users computer
> gets compromised by a virus. The virus could simply read out all the ICQ
> UINs and can be quite sure the other ICQ user (those the UIN belongs to)
> has granted access to OUR user to write messages. So the whole concept
> would
> end up in a worm, that uses those two files (accounts.xml / blist.xml) to
> get victims. The worm could silently establish a connection to the ICQ
> network and send instant messenges to the other users. They will most
> likely
> trust them and maybe follow a link to download the worm or to a webpage
> attacking the victim via exploits or whatever the worms authors fantasy
> is capable of.
>
> -----------------------------------------------------------------------------
>
> So my question is: Isn't there a more secure and better way to save
> passwords
> (and if possible the buddylist) to ensure, that an attacker having access
> to
> the victims computer can't simply read them out?
>
> Just a suggestion: Would it work to make something like a hash algorithm
> (maybe
> use an existing like SHA-512) or what I would consider even better: How
> about
> having a master password, that decrypts the passwords?
>
> I have five accounts in my Pidgin. Typing five passwords all the time I log
> into
> my messenger to start chatting would really suck, but one password to
> decrypt all
> the others, that would be still a good usability!
>
> -----------------------------------------------------------------------------
>
> I am hoping for your response... Reach me over: skyout at wired-security.net
>
> I am very busy, but I don't exclude the possibility to work with you on
> that issue
> and help developing Pidgin, but that is only theory first.
>
> Thanks for your attention,
> SkyOut
>
> _______________________________________________
> Devel mailing list
> Devel at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/devel
>

More information about the Devel mailing list