Sametime security risk or not?

by Volker Weber

I did not think this was possible:

So what functionality am I referring to? The getPassword() function ... in the Connect Client API.

This function allows a Sametime plug-in developer to retrieve the users clear text Sametime password if they are logged in.

Do you know what your plug-ins are doing?

More >

Comments

You're kidding, aren't you? This is really a 101 of authentication that credentials shouldn't be stored or transmitted in plaintext. Oh, and just on the side, transmitting a hash of the password is also not the solution if the client submits the hash as the credential (seen that before...).

Ragnar Schierholz, 2009-02-01

Clearly a security risk. Anything that exposes a user's password in clear text without the user involved is a really bad idea.

Ken Porter, 2009-02-02

the ability to get a password in clear text isnt very smart , but wont it require local admin rights on a windows machine to install a sametime plugin ?

Flemming Riis, 2009-02-02

Carl Tyler did a good write up on it a couple of days ago.

Main point is you should never install any sametime plugins unless you can verify the functionality of what they do.

Simon O'Doherty, 2009-02-02

Simon, I know. This IS about Carl's post.

The Sametime client architecture, like other Expeditor applications, encourages the installation of plug-ins. And unless you read the source code and compile the application yourself, you will never know that plug-in does.

Volker Weber, 2009-02-02

Yes I also think that this function is unnecessary and makes it much easier steal someones passwords.
But if you think about it, then don't you have a similar risk with ANY software which you install/run on your computer? You always have no other option then to trust the producer. How do you know that SKYPE/Notepad++/AntiVirus/ is not logging any of your keystrokes. From such list the passwords can be retrieved easily.
Well installing a sametime-plugin is not more or less dangerous then installing any other software.

Hynek Kobelka, 2009-02-02

If you are really serious, I think you could work for IBM in Sametime security. :-)

Volker Weber, 2009-02-02

Hi,

you can do this for windows passwords in your windows network too, with the help of the ntml protocol and the open source implementation of samba.

Karsten

Karsten Fusenig, 2009-02-02

So... as long as it sucks only as bad as Windows, it's OK?

Craig Wiseman, 2009-02-02

Craig, don't be fooled so easily. MS has not published an API to retrieve the user's password in clear text.

Volker Weber, 2009-02-02

Let's take a second and understand some of the implications... While users log on to their Sametime client, authentication is not against the local installation but a Directory Service. Most installations would probably use DD or LDAP (or other directories that publish LDAP). Both services are typically used for access control of numerous applications. So by stealing the password for Sametime, you are actually getting access to DWA mailfile, the BW, intranet etc.

Even better, some enterprises are as dump as to use Lotus/IBM features like password synchronization. Congratulations, here's the password of the Windows account.

Hopefully I just get this wrong. If anyone has more insights, please share. If these assumptions are correct, the Sametime API must be considered one of the worst backdoors on corporate PCs.

Dirk Rose, 2009-02-02

This is just plain crazy. I just can't see a legitimate reason for the getPassword() function being there. All a plug-in should need to know is that yes, Sametime has an active session to the server and it can do whatever it does. Except, of course, grab my password in cleartext.

Did Charlie Kaufman know about this? Was it the reason he left?

Joerg Michael, 2009-02-02

Flemming - to answer your question, "wont it require local admin rights on a windows machine to install a Sametime plugin ?" the answer is "no". On a locked down desktop, Sametime will install a plug-in to the user's data directory which will not require admin rights.

Glen Salmon, 2009-02-03

@Volker ahh I see the link. Thought the "more" was to expand this thread. A lil confusing. :)

Simon O'Doherty, 2009-02-03

Glen thanks.

Flemming Riis, 2009-02-03

Recent comments

Stefan Hempel on Android Updates im Juni at 21:17
Thomas Cloer on Android Updates im Juni at 14:09
Michael Korn on Sonos mit Triby steuern :: Stuff that works at 08:15
Volker Weber on Sonos mit Triby steuern :: Stuff that works at 17:22
Nick Daisley on Sonos mit Triby steuern :: Stuff that works at 16:53
Marc Henkel on Samsung T5 für weniger als 80 Euro at 12:44
Volker Weber on Samsung T5 für weniger als 80 Euro at 09:27
Michael Urspringer on Samsung T5 für weniger als 80 Euro at 09:25
Volker Weber on Invoxia Triby :: Ein starker Zwerg at 06:38
Ray Guilliard on Invoxia Triby :: Ein starker Zwerg at 05:22
Maikel Maes on Samsung T5 für weniger als 80 Euro at 21:48
Volker Weber on Victorinox Money Clip :: Stuff that works at 16:39
Andreas Pfau on Victorinox Money Clip :: Stuff that works at 16:36
Volker Weber on Samsung T5 für weniger als 80 Euro at 16:20
Bernd Hofmann on Samsung T5 für weniger als 80 Euro at 16:09
Volker Weber on Samsung T5 für weniger als 80 Euro at 15:32
thorsten ebers on Samsung T5 für weniger als 80 Euro at 15:00
Matthias Lipp on Victorinox Money Clip :: Stuff that works at 14:41
Volker Weber on Victorinox Money Clip :: Stuff that works at 13:22
Dominique Roller on Victorinox Money Clip :: Stuff that works at 12:59
Volker Weber on Victorinox Money Clip :: Stuff that works at 12:39
Thomas Klein on Victorinox Money Clip :: Stuff that works at 12:36
Volker Weber on Neato Botvac D7 Connected :: Integration in HomeKit at 12:35
Ralph Inselsbacher on Neato Botvac D7 Connected :: Integration in HomeKit at 12:33
Oliver Busse on Samsung T5 für weniger als 80 Euro at 12:10

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:40

visitors.gif

buy me coffee

Paypal vowe