AIM.app Jailbroken Security Alert

Discussion in 'iTunes App Store Games & Apps' started by Axis, Feb 1, 2010.

  1. Axis

    Axis Super Moderator Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    6,288
    Likes Received:
    133
    Device:
    iPhone 4S (White)
    Note: If you are not jailbroken, this is not /as/ serious, though you should certainly keep this in mind.


    I was poking around my iPhone's filesystem today, and I made a startling discovery.

    The official AIM application (I have the free one, version 4.0.3) stores your password in plaintext. That's right—not a salted hash, plain, unencrypted, human-readable text.

    If you don't believe me, fire up an SSH client and connect to your device. Find your AIM app's folder, and look at the com.aol.aim.plist file in the Preferences directory.

    Your precious password is the string value corresponding to the aptly-titled "password" key.

    This is unacceptable. I understand that AOL is not serving the jailbreak community, so I will not fault them entirely, but please be mindful: if you are jaibroken, you are vulnerable.

    Armed with this information, you may chose to ignore it, but don't complain when something bad happens.

    --

    To my knowledge, this has not been discussed publicly before.

    EDIT: On another note, if you are still using "alpine" as your default password, change it immediately.

    Code:
    <run in MobileTerminal/over an SSH session>
    su root
    passwd
    <follow on-screen prompts>
    
  2. daconcerror

    daconcerror Banned

    Joined:
    Sep 6, 2008
    Messages:
    2,898
    Likes Received:
    0
    Device:
    3G iPod touch
    can you remove it from the file or does that mean that it doesnt have an auto login?
  3. Just_For_Now

    Just_For_Now Active Member

    Joined:
    Mar 21, 2009
    Messages:
    1,898
    Likes Received:
    1
    Device:
    4G iPod touch
    so wut if they show my password? no one can see it.
  4. LssThanThree

    LssThanThree Active Member

    Joined:
    Jan 21, 2009
    Messages:
    1,943
    Likes Received:
    3
    Device:
    iPhone 5 (Black)
    No surprise.
    MySpace app does the same.
    And maybe plenty others.
  5. daconcerror

    daconcerror Banned

    Joined:
    Sep 6, 2008
    Messages:
    2,898
    Likes Received:
    0
    Device:
    3G iPod touch
    there are viruses that send data inside files across the network when u connect online, they can on attack JB'd ipods though so if ur not JB'd ur fine
  6. Axis

    Axis Super Moderator Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    6,288
    Likes Received:
    133
    Device:
    iPhone 4S (White)
    I haven't tried it, but removing that file will likely cause you to have to enter your login credentials (and whatever else) every time you launch the app (your username will not be remembered).

    I don't even think you can disable auto login, which is a design flaw.

    Only if that were true. Any jailbroken app/executable can access the password (and your screen name). This is no joke.

    Yes, it certainly is not just AIM. The point of this thread is to foster awareness for the increased vulnerability of jailbroken for privacy intrusions. This shouldn't prevent you from jailbreaking, but you should be especially mindful of everything you install.
  7. Nburnes

    Nburnes Well-Known Member

    Joined:
    Jan 3, 2009
    Messages:
    9,022
    Likes Received:
    767
    Device:
    OnePlus One
    This would be even more helpful if you included how to change your SSH password.

    Just sayin.
  8. Just_For_Now

    Just_For_Now Active Member

    Joined:
    Mar 21, 2009
    Messages:
    1,898
    Likes Received:
    1
    Device:
    4G iPod touch
    ah i see. thanks for the info. Im gonna change to eBuddy now.
  9. Shawa

    Shawa Super Moderator

    Joined:
    Jan 31, 2009
    Messages:
    3,188
    Likes Received:
    22
    Device:
    Nexus 4
    sh*t, this reminds me, I remember Palringo doing exactly the same thing while I wa jailbroken. That was a while ago though, it might have changed.
  10. Axis

    Axis Super Moderator Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    6,288
    Likes Received:
    133
    Device:
    iPhone 4S (White)
    Yeah, sure, I'll thrown in a quick note on that. However, that won't keep users safe from rogue programs running on the device.

Share This Page