pidgin OTR information leakage

Pidgin transmits OTR (off-the-record) conversations over DBUS in
plaintext. This makes it possible for attackers that have gained
user-level access on a host, to listen in on private conversations
associated with the victim account.

Pidgin is a popular Instant Messenger application that runs on a wide
variety of platforms including Windows and Linux. The pidgin-otr plugin
enables users to communicate securely over any Instant Messenger network
using the “Off-the-record” messaging protocol.

If Pidgin is compiled with DBUS support and there is a DBUS session
daemon running on the system, then all messages that are typed into
Pidgin and messages received through Pidgin are broadcasted on DBUS. The
reasoning behind this is to allow for third party applications, such as
desktop widgets to process these messages (e.g. create an animation when
a message arrives). However, among the messages transmitted over DBUS
one also finds OTR conversations in plaintext form. This is a security
problem, as the private OTR messages may leak to other (unrelated)
processes that are executing with the Pidgin user’s rights.

A more detailed advisory and proof-of-concept script can be found here:
http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/

The Pidgin and pidgin-otr development teams have been contacted about
this issue and we anticipate a fix in a coordinated future release.

The Common Vulnerabilities and Exposures (CVE) project has
assigned candidate name CVE-2012-1257 to this issue.

Disclosure Timeline

Vendor Contact(s): December 20th, 2011
CVE assignment: February 21st, 2012
Public Disclosure: February 25th, 2012

Kind regards,

Dimitris Glynos

http://census-labs.com – IT security research, development and services