 
Full Disclosure mailing list archives
Re: pidgin OTR information leakage
From: Dimitris Glynos <dimitris () census-labs com>
Date: Tue, 28 Feb 2012 00:14:49 +0200
On 02/27/2012 11:23 PM, devnull () vonage com wrote:
I believe that clarification is in order.
Indeed it is. The original post mentions a same-user attack vector which is very misleading as to what the real problem here is. And it boils down to this: Once a process sends private info over DBUS there is no way to control where this ends up (which apps are the qualified receivers) or what the receivers do with it. So, if for example the user selects not to log OTR plaintext (so that this sensitive information doesn't touch the hard drive) another application on the other end of DBUS might choose to do something different (and not by malicious intent). There is no way to enforce the same security policy on the sender and the receivers. How this could be exploited by attackers or what forensic evidence DBUS snooping leaves are of much less importance than the above privacy issue. There is a very good discussion on the pidgin ticket page: http://developer.pidgin.im/ticket/14830 Also, I've made some updates to our post, to make it clearer as to what this issue is about: http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/ If there are still questions, I'll be happy to answer them. Hope this clarifies things a bit, Dimitris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- pidgin OTR information leakage Dimitris Glynos (Feb 27)
- Re: pidgin OTR information leakage Dimitris Glynos (Feb 27)
- Re: pidgin OTR information leakage Jann Horn (Feb 27)
- Re: pidgin OTR information leakage Michele Orru (Feb 27)
- Re: pidgin OTR information leakage Rich Pieri (Feb 28)
- Re: pidgin OTR information leakage Jeffrey Walton (Feb 27)
- Re: pidgin OTR information leakage Ferenc Kovacs (Feb 27)
 
- Message not available
- Re: pidgin OTR information leakage Dimitris Glynos (Feb 28)
 
- Re: pidgin OTR information leakage Michele Orru (Feb 27)
 
- <Possible follow-ups>
- Re: pidgin OTR information leakage Dimitris Glynos (Feb 28)


