Cracking Eudora Mail Passwords Made Easy
Systems Affected
Any systems using Eudora for a mail client
Description:
A program called "EUDPASS.COM can reads the Eudora INI file and locate the password entry. Once located, the program runs a symmetric algorithm and decrypts the password back to clear text.
Demonstration Code:
Down the EUDPASS password cracker in ZIP format
QualComm"s Response:
Qualcomm is warning users of its popular Eudora email software not to save their passwords on their computers thanks to readilthe ease with which programs can be designed to decrypt them.
Macintosh computers are similarly vulnerable, according to Qualcomm, but not to the EUDPASS.COM program.
Community Feedback:
Thomas Kindler points out the following, as seen on the Bugtraq mailing list:
It is important to consider the futility of encrypting your Post Office Protocol (Eudora uses the POP protocol to retrieve mail) password when judging Qualcomm. I support the use of strong encryption when any program "remembers" a user"s password but in this case it is a waste of time.
Why? Many people do not realize that the POP protocol exchanges their password over the network UNENCRYPTED each time the mail server is contacted. If I recall correctly the protocol does break the password up so it doesn"t travel across the LAN in a single packet but one could hardly consider that secure. Unless your network is "port switched" or you are using some form of TCP connection encryption anyone with a packet analyzer and access to your LAN can snoop every password used by every POP mail user.
Additionally, if your Eudora INI file, or any other data store used to "remember" passwords (MS Internet Mail uses the registry), isn"t secure neither a "port switched" network nor TCP connection encryption will protect you. Anyone can decrypt your password in five easy steps.
1 Install the associated mail application for example Eudora
with POP server configured as localhost
When I forgot my password a while back and was able to accomplish this scenario (including writing a program to accept incoming TCP connections) in a few hours. I realize that some changes in the encryption algorithm could be made to make this more difficult but generally the encryption of something that will be exchanged publicly in clear text is futile.
To learn more about new NT security concerns, subscribe to NTSD.
Credit: |
Cracking Eudora Mail Client Passwords
1 comment
Hide comments