Pidgin Oscar (ICQ) Security

Just threw out pidgin for empathy, because it basically authenticates using the plain password over the wire. Pidgin relies on libpurple for the implementation of the protocol. Libpurple transmits the password by xoring with some magic bytes, such that the password can be retrieved by any listener of the network traffic.

Consider using wireshark for sniffing the TLV block "roasted password bytes" and the following C++ code to reconstruct the password. There seems no option for changing the login method to a more secure setting. Empathy at least implements a challenge response and hashing system (not evaluated in detail).

No comments: