Sametime security risk or not?
by Volker Weber
I did not think this was possible:
So what functionality am I referring to? The getPassword() function ... in the Connect Client API.
This function allows a Sametime plug-in developer to retrieve the users clear text Sametime password if they are logged in.
Do you know what your plug-ins are doing?
Comments
You're kidding, aren't you? This is really a 101 of authentication that credentials shouldn't be stored or transmitted in plaintext. Oh, and just on the side, transmitting a hash of the password is also not the solution if the client submits the hash as the credential (seen that before...).
Clearly a security risk. Anything that exposes a user's password in clear text without the user involved is a really bad idea.
the ability to get a password in clear text isnt very smart , but wont it require local admin rights on a windows machine to install a sametime plugin ?
Carl Tyler did a good write up on it a couple of days ago.
Main point is you should never install any sametime plugins unless you can verify the functionality of what they do.
Simon, I know. This IS about Carl's post.
The Sametime client architecture, like other Expeditor applications, encourages the installation of plug-ins. And unless you read the source code and compile the application yourself, you will never know that plug-in does.
Yes I also think that this function is unnecessary and makes it much easier steal someones passwords.
But if you think about it, then don't you have a similar risk with ANY software which you install/run on your computer? You always have no other option then to trust the producer. How do you know that SKYPE/Notepad++/AntiVirus/ is not logging any of your keystrokes. From such list the passwords can be retrieved easily.
Well installing a sametime-plugin is not more or less dangerous then installing any other software.
If you are really serious, I think you could work for IBM in Sametime security. :-)
Hi,
you can do this for windows passwords in your windows network too, with the help of the ntml protocol and the open source implementation of samba.
Karsten
So... as long as it sucks only as bad as Windows, it's OK?
Craig, don't be fooled so easily. MS has not published an API to retrieve the user's password in clear text.
Let's take a second and understand some of the implications... While users log on to their Sametime client, authentication is not against the local installation but a Directory Service. Most installations would probably use DD or LDAP (or other directories that publish LDAP). Both services are typically used for access control of numerous applications. So by stealing the password for Sametime, you are actually getting access to DWA mailfile, the BW, intranet etc.
Even better, some enterprises are as dump as to use Lotus/IBM features like password synchronization. Congratulations, here's the password of the Windows account.
Hopefully I just get this wrong. If anyone has more insights, please share. If these assumptions are correct, the Sametime API must be considered one of the worst backdoors on corporate PCs.
This is just plain crazy. I just can't see a legitimate reason for the getPassword() function being there. All a plug-in should need to know is that yes, Sametime has an active session to the server and it can do whatever it does. Except, of course, grab my password in cleartext.
Did Charlie Kaufman know about this? Was it the reason he left?
Flemming - to answer your question, "wont it require local admin rights on a windows machine to install a Sametime plugin ?" the answer is "no". On a locked down desktop, Sametime will install a plug-in to the user's data directory which will not require admin rights.
@Volker ahh I see the link. Thought the "more" was to expand this thread. A lil confusing. :)
Glen thanks.
