IBM responds to Sametime exposing password

by Volker Weber

Recent comments in the developer community have raised concerns about the state of plug-in security in the Lotus environment. IBM takes the security of its products very seriously and aims to address customer concerns in this area. Specific to the observations about passwords in the system, these APIs exist to allow integration into password-based enterprise security models.

This note dances around the real issue. It does not fail to mention that browsers store passwords and provide them for SSO purposes. It does not mention however, that a Sametime plug-in can expose the Sametime password in cleartext. That is a huge difference. Windows does not expose your Windows password. Sametime will, if you login via Sametime to an Active Directory. Conveniently, blame can be attached elsewhere:

Regarding the deployment of 3rd party plug-ins, IBM recommends that customers take appropriate precautions to understand and control any code they permit users to install and run in their environment.

You have to lock all doors and windows. They are open when you move in.

More >

Comments

It's documented since ... uhmm ... ever? RTFM! And then decide if this is a security leak in your respective environment or not. What's the problem?

Ralf Stellmacher, 2009-02-09

Recent comments

Thomas Cloer on Android Updates im Juni at 14:09
Michael Korn on Sonos mit Triby steuern :: Stuff that works at 08:15
Volker Weber on Sonos mit Triby steuern :: Stuff that works at 17:22
Nick Daisley on Sonos mit Triby steuern :: Stuff that works at 16:53
Marc Henkel on Samsung T5 für weniger als 80 Euro at 12:44
Volker Weber on Samsung T5 für weniger als 80 Euro at 09:27
Michael Urspringer on Samsung T5 für weniger als 80 Euro at 09:25
Volker Weber on Invoxia Triby :: Ein starker Zwerg at 06:38
Ray Guilliard on Invoxia Triby :: Ein starker Zwerg at 05:22
Maikel Maes on Samsung T5 für weniger als 80 Euro at 21:48
Volker Weber on Victorinox Money Clip :: Stuff that works at 16:39
Andreas Pfau on Victorinox Money Clip :: Stuff that works at 16:36
Volker Weber on Samsung T5 für weniger als 80 Euro at 16:20
Bernd Hofmann on Samsung T5 für weniger als 80 Euro at 16:09
Volker Weber on Samsung T5 für weniger als 80 Euro at 15:32
thorsten ebers on Samsung T5 für weniger als 80 Euro at 15:00
Matthias Lipp on Victorinox Money Clip :: Stuff that works at 14:41
Volker Weber on Victorinox Money Clip :: Stuff that works at 13:22
Dominique Roller on Victorinox Money Clip :: Stuff that works at 12:59
Volker Weber on Victorinox Money Clip :: Stuff that works at 12:39
Thomas Klein on Victorinox Money Clip :: Stuff that works at 12:36
Volker Weber on Neato Botvac D7 Connected :: Integration in HomeKit at 12:35
Ralph Inselsbacher on Neato Botvac D7 Connected :: Integration in HomeKit at 12:33
Oliver Busse on Samsung T5 für weniger als 80 Euro at 12:10
Volker Weber on Victorinox Money Clip :: Stuff that works at 11:37

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:04

visitors.gif

buy me coffee

Paypal vowe