Ubuntu
at package

[security] Pidgin XMPP TLS/SSL Man in the Middle attack

Bug #151613 reported by John Moser
4
Affects Status Importance Assigned to Milestone
at (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: at

As per http://developer.pidgin.im/ticket/3381 the Pidgin IM client does not properly implement SSL and TLS, particularly components dealing with feedback to the end user.

The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the-middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text.

No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.