On 02/25/2012 06:31 PM, Dimitris Glynos wrote: > Pidgin transmits OTR (off-the-record) conversations over DBUS in > plaintext. This makes it possible for attackers that have gained > user-level access on a host, to listen in on private conversations > associated with the victim account.
As noted by Peter Lawler this should really be referenced as a libpurple issue and not a pidgin one. You may find the updated advisory here: http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/ (old URL is valid too) Best regards, Dimitris Glynos -- http://census-labs.com -- IT security research, development and services _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
