[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Spark IM Client Local Password Decryption

The open source Spark IM client from Ignite Realtime has a feature
that can save the user's password - this password is stored insecurely
due to the use of a static encryption key.

The password is stored in a file called "spark.properties" and is
encrypted with Triple DES in ECB mode. The problem is that the key
used to encrypt it is static (see source file "Encryptor.java") thus
all users of the application share a single key to 'protect' their
password. Because of this, it's trivial to write a tool to scan for
and decrypt these passwords.

The Base64 encoded key is: ugfpV1dMC5jyJtqwVAfTpHkxqJ0+E0ae

I've written a simple tool (link below) that will scan a system
(Windows only) and provide a list of recovered user names and
passwords; to simplify auditing, it can also scan remote systems by
using the administrative share. To perform this scan, the attacker
needs to have access to the user's profile directory either via local
administrator privileges or misconfigured permissions.

Spark is often used with the Openfire jabber server (also from Ignite
Realtime) as an internal IM solution, and can be configured to use
LDAP for authentication - which makes the recovered credentials far
more interesting.

As of the current version (2.6.3), there does not seem to be a way to
disable this feature.

More details: http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/
Decryption Tool: https://github.com/adamcaudill/sparkim-passview
Spark: http://www.igniterealtime.org/projects/spark/

My apologies if this had been previously documented; in my research I
was unable to find anything.