Sametime security risk or not?

by Volker Weber

I did not think this was possible:

So what functionality am I referring to? The getPassword() function ... in the Connect Client API.

This function allows a Sametime plug-in developer to retrieve the users clear text Sametime password if they are logged in.

Do you know what your plug-ins are doing?

More >

Comments

You're kidding, aren't you? This is really a 101 of authentication that credentials shouldn't be stored or transmitted in plaintext. Oh, and just on the side, transmitting a hash of the password is also not the solution if the client submits the hash as the credential (seen that before...).

Ragnar Schierholz, 2009-02-01

Clearly a security risk. Anything that exposes a user's password in clear text without the user involved is a really bad idea.

Ken Porter, 2009-02-02

the ability to get a password in clear text isnt very smart , but wont it require local admin rights on a windows machine to install a sametime plugin ?

Flemming Riis, 2009-02-02

Carl Tyler did a good write up on it a couple of days ago.

Main point is you should never install any sametime plugins unless you can verify the functionality of what they do.

Simon O'Doherty, 2009-02-02

Simon, I know. This IS about Carl's post.

The Sametime client architecture, like other Expeditor applications, encourages the installation of plug-ins. And unless you read the source code and compile the application yourself, you will never know that plug-in does.

Volker Weber, 2009-02-02

Yes I also think that this function is unnecessary and makes it much easier steal someones passwords.
But if you think about it, then don't you have a similar risk with ANY software which you install/run on your computer? You always have no other option then to trust the producer. How do you know that SKYPE/Notepad++/AntiVirus/ is not logging any of your keystrokes. From such list the passwords can be retrieved easily.
Well installing a sametime-plugin is not more or less dangerous then installing any other software.

Hynek Kobelka, 2009-02-02

If you are really serious, I think you could work for IBM in Sametime security. :-)

Volker Weber, 2009-02-02

Hi,

you can do this for windows passwords in your windows network too, with the help of the ntml protocol and the open source implementation of samba.

Karsten

Karsten Fusenig, 2009-02-02

So... as long as it sucks only as bad as Windows, it's OK?

Craig Wiseman, 2009-02-02

Craig, don't be fooled so easily. MS has not published an API to retrieve the user's password in clear text.

Volker Weber, 2009-02-02

Let's take a second and understand some of the implications... While users log on to their Sametime client, authentication is not against the local installation but a Directory Service. Most installations would probably use DD or LDAP (or other directories that publish LDAP). Both services are typically used for access control of numerous applications. So by stealing the password for Sametime, you are actually getting access to DWA mailfile, the BW, intranet etc.

Even better, some enterprises are as dump as to use Lotus/IBM features like password synchronization. Congratulations, here's the password of the Windows account.

Hopefully I just get this wrong. If anyone has more insights, please share. If these assumptions are correct, the Sametime API must be considered one of the worst backdoors on corporate PCs.

Dirk Rose, 2009-02-02

This is just plain crazy. I just can't see a legitimate reason for the getPassword() function being there. All a plug-in should need to know is that yes, Sametime has an active session to the server and it can do whatever it does. Except, of course, grab my password in cleartext.

Did Charlie Kaufman know about this? Was it the reason he left?

Joerg Michael, 2009-02-02

Flemming - to answer your question, "wont it require local admin rights on a windows machine to install a Sametime plugin ?" the answer is "no". On a locked down desktop, Sametime will install a plug-in to the user's data directory which will not require admin rights.

Glen Salmon, 2009-02-03

@Volker ahh I see the link. Thought the "more" was to expand this thread. A lil confusing. :)

Simon O'Doherty, 2009-02-03

Glen thanks.

Flemming Riis, 2009-02-03

Recent comments

John Daniels on Be careful with your #VanMoof Electrified S at 00:16
Ian Bradbury on Trommelfeuer at 21:39
Peter Daum on The Future Of Workspaces Will Be Unrecognizable :: Forbes at 19:23
Volker Weber on Social distancing works at 15:50
Boudewÿn /<iljan on Social distancing works at 12:57
Volker Weber on Hammerpreis für Apple AirPods Pro at 18:47
Axel Seifried on Hammerpreis für Apple AirPods Pro at 18:45
Volker Weber on Hammerpreis für Apple AirPods Pro at 18:04
Axel Seifried on Hammerpreis für Apple AirPods Pro at 17:48
Volker Weber on ANC Headsets :: Meine Top 3 at 16:26
Federico Hernandez on ANC Headsets :: Meine Top 3 at 16:20
Volker Weber on Jabra Evolve2 85 :: Der Alleskönner at 15:12
Johannes Koch on Jabra Evolve2 85 :: Der Alleskönner at 15:02
Stephan Bohr on Hammerpreis für Apple AirPods Pro at 14:58
Volker Weber on Hammerpreis für Apple AirPods Pro at 14:32
Ralph Rost on Hammerpreis für Apple AirPods Pro at 14:31
Marc Henkel on Hammerpreis für Apple AirPods Pro at 14:19
Frank Quednau on ANC Headsets :: Meine Top 3 at 12:54
Götz Görisch on Samsung hat's drauf :: Nokia weniger at 12:51
Volker Weber on ANC Headsets :: Meine Top 3 at 11:55
Stefan Hempel on ANC Headsets :: Meine Top 3 at 11:52
David Guillaume on ANC Headsets :: Meine Top 3 at 11:51
Volker Weber on ANC Headsets :: Meine Top 3 at 11:43
Stefan Hempel on ANC Headsets :: Meine Top 3 at 11:42
David Guillaume on Samsung hat's drauf :: Nokia weniger at 10:31

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 16:23

visitors.gif

Paypal vowe