pidgin OTR information leakage Feb 25 2012 04:31PM
Dimitris Glynos (dimitris census-labs com) (1 replies)
Pidgin transmits OTR (off-the-record) conversations over DBUS in
plaintext. This makes it possible for attackers that have gained
user-level access on a host, to listen in on private conversations
associated with the victim account.

Pidgin is a popular Instant Messenger application that runs on a wide
variety of platforms including Windows and Linux. The pidgin-otr plugin
enables users to communicate securely over any Instant Messenger network
using the ?Off-the-record? messaging protocol.

If Pidgin is compiled with DBUS support and there is a DBUS session
daemon running on the system, then all messages that are typed into
Pidgin and messages received through Pidgin are broadcasted on DBUS. The
reasoning behind this is to allow for third party applications, such as
desktop widgets to process these messages (e.g. create an animation when
a message arrives). However, among the messages transmitted over DBUS
one also finds OTR conversations in plaintext form. This is a security
problem, as the private OTR messages may leak to other (unrelated)
processes that are executing with the Pidgin user?s rights.

A more detailed advisory and proof-of-concept script can be found here:

The Pidgin and pidgin-otr development teams have been contacted about
this issue and we anticipate a fix in a coordinated future release.

The Common Vulnerabilities and Exposures (CVE) project has
assigned candidate name CVE-2012-1257 to this issue.

Disclosure Timeline
Vendor Contact(s): December 20th, 2011
CVE assignment: February 21st, 2012
Public Disclosure: February 25th, 2012

Kind regards,

Dimitris Glynos
http://census-labs.com -- IT security research, development and services

[ reply ]
Re: pidgin OTR information leakage Feb 27 2012 05:27PM
Jann Horn (jannhorn googlemail com) (1 replies)
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 07:37PM
Michele Orru (antisnatchor gmail com) (1 replies)
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 08:21PM
Rich Pieri (ratinox MIT EDU) (1 replies)
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 09:27PM
Jeffrey Walton (noloader gmail com)


Privacy Statement
Copyright 2010, SecurityFocus