pagvac wrote:
Title: Google Talk Beta Messenger cleartext credentials in process memory
Description
Google Talk stores all user credentials (username and password) in
clear-text in the process memory. Such vulnerability was found on
August 25, 2005 (two days after the release of Google
Hi,
If i am right Google Talk Beta Messenger cleartext credentials in process memory still exist onthe current version.
googles answer for this issue:
plainchar - hex char
6ackpace
On 11/29/05, Jaroslaw Sajko [EMAIL PROTECTED] wrote:
pagvac wrote: Title: Google Talk Beta Messenger cleartext
Personally I only tested the patched version by searching for the
ASCII (decimal) representation of my own password.
In other words, I searched for mypassword with a hex editor, rather
than its hexadecimal representation 6d7970617373776f7264
If what you're saying is that all Google did is change
On Tue, Nov 29, 2005 at 11:57:00AM +0100, Jaroslaw Sajko wrote:
pagvac wrote:
Jaroslaw,
thanks for your post. You're right, the same issue occurs in *many*
applications. However, any vendor that is serious about security will
at least attempt to obfuscate the credentials in memory
Nasko Oskov wrote:
If you want to protect the credentials in memory from dumps that go to
Microsoft, why not use CryptProtectMemory() instead of home-grown
obfuscation? This function encrypts the memory with a key that changes
over reboots, so even if you send a dump to MS, they wouldn't know
On Tue, Nov 29, 2005 at 01:11:47PM -0500, Nasko Oskov wrote:
If you want to protect the credentials in memory from dumps that go to
Microsoft, why not use CryptProtectMemory() instead of home-grown
obfuscation? This function encrypts the memory with a key that changes
over reboots, so even
Nasko Oskov wrote:
If you want to protect the credentials in memory from dumps that go to
Microsoft, why not use CryptProtectMemory() instead of home-grown
obfuscation? This function encrypts the memory with a key that changes
over reboots, so even if you send a dump to MS, they wouldn't know
Title: Google Talk Beta Messenger cleartext credentials in process memory
Affected versions: 1.0.0.64 (this version is believed to be the first
one released to the public)
Vendor contacted: 25/08/05
Patched version released: 29/08/05
Advisory released: 28/11/05
Author: pagvac (Adrian Pastor)