mailing list archives
Re: [Full-disclosure] pidgin OTR information leakage
From: Dimitris Glynos <dimitris () census-labs com>
Date: Tue, 28 Feb 2012 00:14:49 +0200
On 02/27/2012 11:23 PM, devnull () vonage com wrote:
I believe that clarification is in order.
Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.
And it boils down to this:
Once a process sends private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it. So, if for example the user
selects not to log OTR plaintext (so that this sensitive information
doesn't touch the hard drive) another application on the other end
of DBUS might choose to do something different (and not by malicious
intent). There is no way to enforce the same security policy on the
sender and the receivers.
How this could be exploited by attackers or what forensic evidence
DBUS snooping leaves are of much less importance than the above
There is a very good discussion on the pidgin ticket page:
Also, I've made some updates to our post, to make it clearer
as to what this issue is about:
If there are still questions, I'll be happy to answer them.
Hope this clarifies things a bit,