VULNERABILITIES / FIXES - March 27, 2012
by Carol~ - 3/27/12 3:24 AM
Google Talk Credentials Disclosure Security Issue
Release Date: 2012-03-27
Criticality level: Less critical
Impact: Exposure of sensitive information
Where : From remote
Solution Status: Unpatched
Software: Google Talk 1.x
Andrea Micalizzi has discovered a security issue in Google Talk, which can be exploited by malicious people to disclose sensitive information.
The security issue is caused due to the application insecurely processing the data supplied via the "gtalk://" URI and can be exploited to redirect authentication requests in the clear text to an attacker chosen server.
Successful exploitation requires that a localised version is installed without uninstalling the non-localised version.
The security issue is confirmed in version 1.0.5. Other versions may also be affected.
Follow proper uninstallation procedures before installing the localised version.
Provided and/or discovered by:
Andrea Micalizzi (rgod)