Sametime security risk or not?

by Volker Weber

I did not think this was possible:

So what functionality am I referring to? The getPassword() function ... in the Connect Client API.

This function allows a Sametime plug-in developer to retrieve the users clear text Sametime password if they are logged in.

Do you know what your plug-ins are doing?

More >

Comments

You're kidding, aren't you? This is really a 101 of authentication that credentials shouldn't be stored or transmitted in plaintext. Oh, and just on the side, transmitting a hash of the password is also not the solution if the client submits the hash as the credential (seen that before...).

Ragnar Schierholz, 2009-02-01

Clearly a security risk. Anything that exposes a user's password in clear text without the user involved is a really bad idea.

Ken Porter, 2009-02-02

the ability to get a password in clear text isnt very smart , but wont it require local admin rights on a windows machine to install a sametime plugin ?

Flemming Riis, 2009-02-02

Carl Tyler did a good write up on it a couple of days ago.

Main point is you should never install any sametime plugins unless you can verify the functionality of what they do.

Simon O'Doherty, 2009-02-02

Simon, I know. This IS about Carl's post.

The Sametime client architecture, like other Expeditor applications, encourages the installation of plug-ins. And unless you read the source code and compile the application yourself, you will never know that plug-in does.

Volker Weber, 2009-02-02

Yes I also think that this function is unnecessary and makes it much easier steal someones passwords.
But if you think about it, then don't you have a similar risk with ANY software which you install/run on your computer? You always have no other option then to trust the producer. How do you know that SKYPE/Notepad++/AntiVirus/ is not logging any of your keystrokes. From such list the passwords can be retrieved easily.
Well installing a sametime-plugin is not more or less dangerous then installing any other software.

Hynek Kobelka, 2009-02-02

If you are really serious, I think you could work for IBM in Sametime security. :-)

Volker Weber, 2009-02-02

Hi,

you can do this for windows passwords in your windows network too, with the help of the ntml protocol and the open source implementation of samba.

Karsten

Karsten Fusenig, 2009-02-02

So... as long as it sucks only as bad as Windows, it's OK?

Craig Wiseman, 2009-02-02

Craig, don't be fooled so easily. MS has not published an API to retrieve the user's password in clear text.

Volker Weber, 2009-02-02

Let's take a second and understand some of the implications... While users log on to their Sametime client, authentication is not against the local installation but a Directory Service. Most installations would probably use DD or LDAP (or other directories that publish LDAP). Both services are typically used for access control of numerous applications. So by stealing the password for Sametime, you are actually getting access to DWA mailfile, the BW, intranet etc.

Even better, some enterprises are as dump as to use Lotus/IBM features like password synchronization. Congratulations, here's the password of the Windows account.

Hopefully I just get this wrong. If anyone has more insights, please share. If these assumptions are correct, the Sametime API must be considered one of the worst backdoors on corporate PCs.

Dirk Rose, 2009-02-02

This is just plain crazy. I just can't see a legitimate reason for the getPassword() function being there. All a plug-in should need to know is that yes, Sametime has an active session to the server and it can do whatever it does. Except, of course, grab my password in cleartext.

Did Charlie Kaufman know about this? Was it the reason he left?

Joerg Michael, 2009-02-02

Flemming - to answer your question, "wont it require local admin rights on a windows machine to install a Sametime plugin ?" the answer is "no". On a locked down desktop, Sametime will install a plug-in to the user's data directory which will not require admin rights.

Glen Salmon, 2009-02-03

@Volker ahh I see the link. Thought the "more" was to expand this thread. A lil confusing. :)

Simon O'Doherty, 2009-02-03

Glen thanks.

Flemming Riis, 2009-02-03

Recent comments

Volker Weber on Sonos hat ein Leak-Problem at 20:32
Daniel Gebauer on Sonos hat ein Leak-Problem at 19:59
Michael Renner on AirPods mit Watch Charger laden? Geht bei mir nicht at 15:00
Torsten Armbruster on Neue Apple Watch at 10:55
Martin Funk on On productivity and collaboration at 10:45
Volker Weber on Sonos hat ein Leak-Problem at 10:39
Alexander Wrede on Sonos hat ein Leak-Problem at 10:08
Bernd Fellerhoff on Sonos hat ein Leak-Problem at 07:55
Volker Weber on Sonos hat ein Leak-Problem at 17:08
Jochen Schug on Sonos hat ein Leak-Problem at 16:37
Martin Imbeck on On productivity and collaboration at 14:00
Volker Weber on Sonos hat ein Leak-Problem at 12:30
Stephan Wissel on On productivity and collaboration at 12:27
Matthias Welling on Fritz!OS 7.12 at 11:58
Johannes Koch on Sonos hat ein Leak-Problem at 11:53
Jochen Schug on Neue Apple Watch at 09:28
Johannes Matzke on Sonos hat ein Leak-Problem at 07:45
Dirk Steins on Sonos hat ein Leak-Problem at 07:30
Hubert Stettner on Neue Apple Watch at 21:31
Ole Saalmann on Neue Apple Watch at 18:29
Bernd Hofmann on Ted Chiang :: Exhalation #nowreading at 16:48
Tobias Hauser on Neue Apple Watch at 15:18
Volker Weber on Ted Chiang :: Exhalation #nowreading at 12:57
Dirk Steins on Ted Chiang :: Exhalation #nowreading at 12:51
Ragnar Schierholz on Fritz!OS 7.12 at 22:46

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:14

visitors.gif

buy me coffee

Paypal vowe