IBM responds to Sametime exposing password
by Volker Weber
Recent comments in the developer community have raised concerns about the state of plug-in security in the Lotus environment. IBM takes the security of its products very seriously and aims to address customer concerns in this area. Specific to the observations about passwords in the system, these APIs exist to allow integration into password-based enterprise security models.
This note dances around the real issue. It does not fail to mention that browsers store passwords and provide them for SSO purposes. It does not mention however, that a Sametime plug-in can expose the Sametime password in cleartext. That is a huge difference. Windows does not expose your Windows password. Sametime will, if you login via Sametime to an Active Directory. Conveniently, blame can be attached elsewhere:
Regarding the deployment of 3rd party plug-ins, IBM recommends that customers take appropriate precautions to understand and control any code they permit users to install and run in their environment.
You have to lock all doors and windows. They are open when you move in.
Comments
It's documented since ... uhmm ... ever? RTFM! And then decide if this is a security leak in your respective environment or not. What's the problem?
Ralf Stellmacher, 2009-02-09
