Cracking portable e-mail clients
Last week I went on a quest to find the simple, lightweight and portable e-mail client to put on a USB drive. Additional requirements for the client were to be free and support encodings. Surprisingly, it was the tough quest. After browsing through potential candidates (most of them were just ugly and clumsy, honestly), three runner-ups were selected: Sylpheed, Scribe and Ultrafunk Popcorn. All of them had own pros and cons, but failed altogether when it came to security. The way these clients protect user account credentials is a disaster. Account passwords can be collected and cracked instantly by malware.
Sylpheed
There is not protection at all. Passwords stored in plain text and can be collected as simple as
find "assword=" accountrc > passwords.txt
Scribe
Passwords simply xor’ed with the master password
and stored as hexadecimal strings in ScribeOptions.xml
Ultrafunc Popcorn
Obfuscated passwords from popcorn.ini can be recovered using the following simple C function:
void depopco(unsigned char *psw)
{
unsigned char *o = psw, c;
unsigned long x, i = 0x193BAA1C;
while((c = *psw++) != 0)
{
x = c + 0x0fffffbf;
if ((c = *psw++) == 0) break;
c += (unsigned char)(x << 4) - 65;
*o++ = (unsigned char)(c ^ (i >> 15));
i = i * 0x00b504f3 + 1;
}
*o = 0;
} /* depopco */
This function was reversed from binary within 5 mins, but an actual attacker even do not need to bother about reversing at all because client’s source code is available.
See, even if you plan to only read messages and read them only over a SSL connection then you are still in danger of compromising your e-mail accounts while using these clients at roaming. So you better be aware and prepare.
As a side note on other major failure factors: Ultrafunc Popcorn is a discontinued product and there is no message encoding; Sylpheed MH format is some sort of a joke, which is not funny particularly on a flash drive (it is not that funny on any NTFS either).
Subscribe to RSS feed
I will not ask you about Thunderbird :)
I will not ask why not use portable Truecrypt for security :) Instead, I will ask what is the reason to hide passwords, if it will be sent in pure text over POP3?
May 16, 2007 @ 9:48 am
Igor,
Thunderbird: If it installed in about 22Mb then it is not something called small and lightweight exactly :)
Truecrypt: Irrelevant from this point. Once it mounted, all files there are transparently available to any active malware.
There are POP3S, bounce tunnels, etc to avoid plain text passwords to be sent. Lousy credential protection on a client side renders those close to useless.
Such protection also increases attack likelihood and success ratio for an offline attack on collected credentials.
May 16, 2007 @ 11:34 am
Unless you have to specify some sort of master password which is used to actually encrypt the account data, the whole storage mechanism cannot be secure by definition.
You might see various degrees of “obfuscation” but that’s it.
August 30, 2007 @ 11:31 am
Exactly the point.
August 30, 2007 @ 3:05 pm
Hi There.
Nice post.
And what you think about Dreammail, another portable email client.
February 1, 2008 @ 3:23 am