[security] Pidgin XMPP TLS/SSL Man in the Middle attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
at (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: at
As per http://
The client gives the end user no method of determining the validity of the certificate; in cases where a server presents invalid or self-signed certificates, Pidgin operates as normal. As a result, any man-in-the-middle attack can handshake with the server and with the client (using a fake certificate) and perform a decrypt-recrypt process to read the data-- including message text and plaintext passwords-- in plain text.
No proof of concept for this specific attack exists. Those wishing to write one can create an Ettercap plug-in