Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: eudora01.htm

Eudora weak password encryption



Vulnerability

    Eudora

Affected

    Win sistems running Eudora clients (light and pro, v4 too)

Description

    Sander Goudswaard posted following.   Note however that  following
    is security issue only  in specific enviroument like  classes with
    bunch of computers.   The mail program  Eudora from Qualcomm  Inc.
    has the ability to save the  mail password in its INI file  ('save
    password').  This password  is encrypted in a  not-too-strong way.
    There's a program  called EUDPASS.COM on  the Net that  can easily
    decrypt  this  password.   Of  course,  having  the INI file means
    someone can check your mail. But that 'someone'  could not use the
    password to log in directly to the machine the mail is stored  on.
    With this utility, the password itself can be obtained.

    Thomas Kindler added following.  Additionally, if your Eudora  INI
    file, or  any other  data store  used to  "remember" passwords (MS
    Internet Mail  uses the  registry), isn't  secure neither  a "port
    switched" network nor TCP connection encryption will protect  you.
    Anyone can decrypt your password in five easy steps:

        1. Install the associated mail application for example  Eudora
           with POP server configured as localhost
        2. Copy  the password  entry from  the target  user's INI file
           (or registry key in the case of Internet Mail)
        3. Start a program designed to accept incoming TCP connections
           on the POP port
        4. Start the mail application and acquire mail
        5. When  the TCP  connection is  established send  "+OK" twice
           from the incoming TCP  connection program and the  password
           will be returned UNENCRYPTED

Solution

    Although this is  known problem, no  solution has been  offered by
    Qualcomm.   Until  they  change  the  encryption  algorithm,   the
    password can be easily decrypted by anyone with access to the  INI
    file.   Don't  save  your  password,  or  make  sure your INI file
    (better, the entire mail directory) can not be accessed by anyone.
    Hope Qualcomm  will change  the algorithm  some day.   If the user
    wants security,  they have  to type  the password  in every  time,
    period.  If they choose to save it, they cannot be as secure.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH