Hey look, Secunia reads FreshMeat!

    I hope no one is paying Secunia for their security advisories. I release gtalkbot 1.0 (where you had to pass the GTalk user name and password on the command line), and then changed that behaviour in 1.1. The Secunia rocket scientists figured out all by themselves that this was bad. Bad enough for a security advisory?

    A security issue has been reported in gtalkbot, which can be exploited by malicious, local users to disclose sensitive information.

    The problem is that certain user credentials are passed to the application as arguments on the command line. This can be exploited to gain knowledge of usernames and passwords of other services via the process list.

    The security issue is reported in versions prior to 1.1.


    Ummm, the GTalk account is created for the purpose, and so it's not uber secure anyways. In fact, it's only visible to local users, who are presumably trusted anyways given that gtalkbot also needs the unauthenticated telnet interface to MythTV enabled to work. Wow. I assume that Secunia just reads every FreshMeat security release, and makes an announcement about it. Oh, and those three nearly paragraphs took over two weeks!

    Update: but wait, there's more! I made it into the US Federal Government's vulnerability database too, complete with an incorrect "Authentication: Not required to exploit". I guess the Feds can't read python code?

    Update: perhaps Secunia is just reprinting this lame advisory? Do these people just reprint each other's work all the time? Again with the hoping people aren't earning money by making suckers think they're helping...

    The fun continues: yay for SecWatch and systembodyguard!

posted at: 22:08 | path: /gtalkbot | permanent link to this entry
    #1 Scott Lamb

    By making that freshmeat security release, you gave the Department of Homeland Security something to do other than invade my privacy. There's something to be said for that...
    #2 Steve

    Something in the water over there perhaps?
    They did something similar to me about two weeks ago.

    Incompetence Forever!

    Refused to identify themselves: Do you believe every email claiming to offer millions of dollars? Why would I believe an unsigned email claiming to be from a security researcher?
    And then threatened to push a nasty security alert out unless I did all their work for them. Said nasty alert went out. I do not appreciate being blackmailed.

    The sad part for me, if you bother reading the above, is that the "vulnerability" has been in the upstream code for 5+ years. And has never been a problem, or noticed, until now. Which says a lot about how nasty it must be.
    Not Happy Jan.

    - Steve, a geek still in Canberra.
    Add a comment to this post:

    Your name:

    Your email: Email me new comments on this post
      (Your email will not be published on this site, and will only be used to contact you directly with a reply to your comment if needed. Oh, and we'll use it to send you new comments on this post it you selected that checkbox.)


    Your website:

    Comments: