From drew at bugcrowd.com Fri Mar 7 17:40:43 2014 From: drew at bugcrowd.com (Drew Sing) Date: Fri, 07 Mar 2014 22:40:43 +0000 Subject: Improvements to your vuln disclosure program Message-ID: <001a11c30718b7473604f40bf193@google.com> Hey Security at Pidgin,

We placed you on our List of Bounty Programs last Sept, and I wanted to make sure your vuln submissions were going well.

What could be improved in your current security process?

Based on feedback, we're about to release our free vulnerability submission platform that securely handles submissions, duplicates, and an automated hall of fame. Love to hear your thoughts and if this would provide value.

Look forward to hearing from you,

Drew

Growth Engineer at Bugcrowd

-------------- next part -------------- An HTML attachment was scrubbed... URL: From sedaghatpour1234 at gmail.com Fri Mar 21 22:45:49 2014 From: sedaghatpour1234 at gmail.com (Ali Sedaghatpour) Date: Fri, 21 Mar 2014 22:45:49 -0400 Subject: Fwd: site security In-Reply-To: References: Message-ID: Hi Your site's security score is an A-. See here for details: https://www.ssllabs.com/ssltest/analyze.html?d=pidgin.im Can this be improved? Please let me know; thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rzagastya at gmail.com Mon Mar 24 11:30:02 2014 From: rzagastya at gmail.com (agastya rudroj) Date: Mon, 24 Mar 2014 08:30:02 -0700 Subject: reporting vulnerability Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pidgin1.PNG Type: image/png Size: 29545 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pidgin2.PNG Type: image/png Size: 18420 bytes Desc: not available URL: From flamestryke at gmail.com Tue Mar 25 07:36:04 2014 From: flamestryke at gmail.com (Lord Flame Stryke) Date: Tue, 25 Mar 2014 05:36:04 -0600 Subject: Pidgin and Windows Live Messenger Message-ID: <38BEE1DEE33243918C4260571F2D4A1D@DragonFyrePC> I have found a definite security flaw with Windows Live Messenger when using Pidgin. I have already sent an email to Microsoft to inform them of this. In Pidgin, when disallowing multiple logins, Pidgin becomes the sole location that can be logged in. When attempting to operate remotely, I could not log in on any other device, so I could not disconnect Pidgin. In an attempt to log out of Pidgin, I logged in to the Windows Live site and changed my password, however Pidgin did not log out and, in fact, is currently sitting open on my desktop logged in without my having changed the password within Pidgin. My concern is that, should someone gain access to my account, or to any other user's account, they would be able to disallow multiple logins and essentially hijack the account. I believe this presents a serious security flaw. -------------- next part -------------- An HTML attachment was scrubbed... URL: From elb at pidgin.im Tue Mar 25 08:47:13 2014 From: elb at pidgin.im (Ethan Blanton) Date: Tue, 25 Mar 2014 08:47:13 -0400 Subject: Pidgin and Windows Live Messenger In-Reply-To: <38BEE1DEE33243918C4260571F2D4A1D@DragonFyrePC> References: <38BEE1DEE33243918C4260571F2D4A1D@DragonFyrePC> Message-ID: <20140325124713.GA8673@mail.kb8ojh.net> Lord Flame Stryke spake unto us the following wisdom: > I have found a definite security flaw with Windows Live Messenger when > using Pidgin. I have already sent an email to Microsoft to inform > them of this. Microsoft is the correct point of contact for this, we can't do anything about it. They won't do anything about it, as this service is being terminated within the next couple of months. > In Pidgin, when disallowing multiple logins, Pidgin becomes the sole > location that can be logged in. When attempting to operate remotely, > I could not log in on any other device, so I could not disconnect > Pidgin. In an attempt to log out of Pidgin, I logged in to the > Windows Live site and changed my password, however Pidgin did not log > out and, in fact, is currently sitting open on my desktop logged in > without my having changed the password within Pidgin. > > My concern is that, should someone gain access to my account, or to > any other user's account, they would be able to disallow multiple > logins and essentially hijack the account. I believe this presents a > serious security flaw. For the record, this depends entirely on context. It could be a security flaow, or it could be a security measure. While it prevents you from booting a Pidgin that you want to boot, it would also prevent an attacker from booting a legitimate instance. Either way, we can't change the server behavior. Ethan From ayoub.naitlamine1 at gmail.com Tue Mar 25 11:19:16 2014 From: ayoub.naitlamine1 at gmail.com (ayoub nait lamine) Date: Tue, 25 Mar 2014 15:19:16 +0000 Subject: report bug Message-ID: Hello, I am a researcher of security, wanted to reveal a security vulnerability responsibility, which is found in the website of your. Below is a snapshot. [image: Images int?gr?es 1] I want to be rewarded or put my name on the list of special ethical hacker your website -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Capturexss.PNG Type: image/png Size: 360635 bytes Desc: not available URL: From elb at pidgin.im Tue Mar 25 12:04:29 2014 From: elb at pidgin.im (Ethan Blanton) Date: Tue, 25 Mar 2014 12:04:29 -0400 Subject: report bug In-Reply-To: References: Message-ID: <20140325160429.GB10737@mail.kb8ojh.net> ayoub nait lamine spake unto us the following wisdom: > Hello, I am a researcher of security, wanted to reveal a security > vulnerability responsibility, which is found in the website of your. Below > is a snapshot. We are going to have trouble fixing, or even identifying, this problem from just a screen shot. Can you tell us how you achieved it? I assume the problem is that you were able to enter a snippet of Javascript as an email address, and it was executed in your browser? > I want to be rewarded or put my name on the list of special ethical hacker > your website You probably want to report this vulnerability to the Trac project (trac.edgewall.org) for this. We did not write and do not maintain trac, we simply use it on developer.pidgin.im. While there is no such list per se, there are public vulnerability disclosures, and they normally include the discoverer of a vulnerability. However, it is not our place to disclose vulnerabilities in trac, as trac will want to coordinate the disclosure with many users and packagers of their system, not just Pidgin. Ethan From ayoub.naitlamine1 at gmail.com Tue Mar 25 12:15:47 2014 From: ayoub.naitlamine1 at gmail.com (ayoub nait lamine) Date: Tue, 25 Mar 2014 16:15:47 +0000 Subject: report bug In-Reply-To: <20140325160429.GB10737@mail.kb8ojh.net> References: <20140325160429.GB10737@mail.kb8ojh.net> Message-ID: 2014-03-25 16:04 GMT+00:00 Ethan Blanton : > ayoub nait lamine spake unto us the following wisdom: > > Hello, I am a researcher of security, wanted to reveal a security > > vulnerability responsibility, which is found in the website of your. > Below > > is a snapshot. > > We are going to have trouble fixing, or even identifying, this problem > from just a screen shot. Can you tell us how you achieved it? I > assume the problem is that you were able to enter a snippet of > Javascript as an email address, and it was executed in your browser? > > > I want to be rewarded or put my name on the list of special ethical > hacker > > your website > > You probably want to report this vulnerability to the Trac project > (trac.edgewall.org) for this. We did not write and do not maintain > trac, we simply use it on developer.pidgin.im. While there is no such > list per se, there are public vulnerability disclosures, and they > normally include the discoverer of a vulnerability. However, it is > not our place to disclose vulnerabilities in trac, as trac will want > to coordinate the disclosure with many users and packagers of their > system, not just Pidgin. > > Ethan > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: xss in developer.pidgin.im.mp4 Type: video/mp4 Size: 1010388 bytes Desc: not available URL: From ayoub.naitlamine1 at gmail.com Thu Mar 27 13:56:13 2014 From: ayoub.naitlamine1 at gmail.com (ayoub nait lamine) Date: Thu, 27 Mar 2014 17:56:13 +0000 Subject: report bug In-Reply-To: References: <20140325160429.GB10737@mail.kb8ojh.net> Message-ID: https://www.youtube.com/watch?v=OGXcRsQEnhc&feature=youtu.be 2014-03-25 16:15 GMT+00:00 ayoub nait lamine : > > > > 2014-03-25 16:04 GMT+00:00 Ethan Blanton : > > ayoub nait lamine spake unto us the following wisdom: >> > Hello, I am a researcher of security, wanted to reveal a security >> > vulnerability responsibility, which is found in the website of your. >> Below >> > is a snapshot. >> >> We are going to have trouble fixing, or even identifying, this problem >> from just a screen shot. Can you tell us how you achieved it? I >> assume the problem is that you were able to enter a snippet of >> Javascript as an email address, and it was executed in your browser? >> >> > I want to be rewarded or put my name on the list of special ethical >> hacker >> > your website >> >> You probably want to report this vulnerability to the Trac project >> (trac.edgewall.org) for this. We did not write and do not maintain >> trac, we simply use it on developer.pidgin.im. While there is no such >> list per se, there are public vulnerability disclosures, and they >> normally include the discoverer of a vulnerability. However, it is >> not our place to disclose vulnerabilities in trac, as trac will want >> to coordinate the disclosure with many users and packagers of their >> system, not just Pidgin. >> >> Ethan >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: