10 April 2009

. IM Memory Dumping (cont.)

(You may want to read first IM Memory Dumping)

According to Wikipedia on April 6th 2007, GAIM's project development team changed the name of the popular IM to Pidgin, as a result of their settlement with AOL and latter's trademarked acronym AIM. So we downloaded Pidgin's latest version 2.5.5 and installed it in our VMware Windows box. We happily added our demo username and password (for our test it does not matter if you tick the box saying remember password, or not, as there is no change in the result of our experiment). Then we dumped Pidgin's process memory, saved it to a file in our Samba share, the file consumed about 50MB of space. From there, using the strings command we searched for sequences of printable characters; by grep-ing for our set password we found three instances of it in different places (all of them of course in plaintext).

We changed our account password a few times and repeated the process again and again, last we concluded that:
1. every time the password was stored three times in the process memory
2. one of the locations is very easily spotted in the dump (if you view the file with a Hex editor you will see that there is always a large block of random data then the string =p&=, then some random numbers (which they do not always appear) and finally our password). As you understand even if you do not know the secret password you can find it by trial and error in just a few tries.

I guess that other IM clients is very likely to store your passwords amongst other information in clear. I can not tell you do not use program X or program Y because they do not properly encrypt your passwords or do not scrub the memory, but I can advise you to take under serious consideration which ones you do use at home and work, and think how much exposed you are.