Trillian Vulnerability - Security Flaw Found in Trillian IM

you didnt got my point, or you are one of does who are a pain in the as

I dont think you got my point.

"A machine with good security is hard enough, when you introduce a network aspect.. the job is MUCH harder."

If someone have physical accec to youre computer then its not hard to find out whats youre password is because its so badly crypted

By the way:
It was not a question, i was just trying to make a point.!

If an "evil user" has physical access to my computer, instant messaging passwords are not my first worry. :-o

Many instant messaging protocols use plain-text authentication over the wire. People who make instant messenger clients probably consider this (rightly or wrongly) when they choose how to store passwords on the local system. They may ask: Why add advanced security to a product that has other large holes in a protocol it uses?

Another consideration is the OS security per user...

If a malicious user is able to have access to the same resources as you on your system like Windows, MacOS X, or Linux or other *NIX, then they have many methods with which to gain access to IM cached passwords by using a trojan on your system.

Consider a system where a wrapper for an application is created that actually calls the application you want to run (specialized trojan), but also performs a "memory trace" of the running application. If the trace is properly customized, then when the application decrypts the locally cached passwords, they are eventually stored in memory for the application as plain-text.

Such a trojan would really only be required if there was an extra authentication needed to start the application. If the application can be started by this "evil user" then they don't even need the trojan, as they can run the trace on their own.
Even if there was no way to break the cipher/encrypted data directly, we now have access to the plain-text passwords.

(Yes, I realize there is a difference between waiting for a user to run a trojan and stealing a file as needed.)

Yet another reason developers of chatting software may have for choosing not to focus on better security for cached password encryption.

(Even Apple's keychain system can be defeated with trojans, and they actually did a much better job of dealing with authentication caching than most other software.)

Physical access also means being able to install keyboard wedge keyloggers, or if authenticated access is available, software-based keyloggers.

There are very few systems made that are designed to allow the user to have physical access, and yet not be easy to break-- and such systems usually have requirements for critical pieces of hardware to not be available with phyiscal access. (e.g.: you get physical access to a keyboard, mouse and monitor, but nothing else.)