Lotus Sametime exports passwords in plain text
On his website, instant messaging expert Carl Tyler has released details of a security vulnerability in IBMs instant messaging software Lotus Sametime. The issue has not been noted previously, despite the fact that it is documented in the Sametime API. It turns out that a Sametime plug-in can query a user's password, in plain text, from the Sametime client. This is critical, because Sametime usually accesses an Enterprise Directory, which is also intended to protect other applications. This may be an Active Directory, the Domino directory or some other LDAP server.
Since version 7.5, the Lotus Sametime Client has been based on Lotus Expeditor, an IBM distribution of the Eclipse Rich Client Platform. This platform allows users to extend the Sametime client, using their own or external plug-ins. In the initial 7.5 version, it was sufficient merely to copy the plug-in to the directory tree, but since version 7.51, the plug-in must be registered via the client. IBM is currently distributing version 8.0, with 8.5 expected sometime this year.
Plug-in installation can be controlled via server policies. For Example, administrators can load plug-ins on all clients, or forbid users from installing or uninstalling plug-ins themselves. However, it is possible to circumvent these policies if a user logs in to another community in which plug-in installation is not controlled. Once a plug-in has been installed, it remains installed.
The API function getpassword() was introduced in Sametime 7.5 in order to allow automatic log-ins (SSO, single sign-on) in particular circumstances. Within the IBM world, it is normally the LTPA token which is used for this service. This does not yet work in 7.5, so IBM introduced the password method. Since version 7.5.1, Sametime has been able to use the LTPA token.
The function getpassword() only returns the password if the user logs-in to the Sametime client. Where LTPA authentication, or the Sametime client embedded in Notes, is used, the function does not return the password, as it is not known to the Sametime client.