Lotus IM Security Claims Draw Fire

UPDATE: Lotus officials respond to a researcher's claims that it is being disingenuous about security flaws in its Sametime instant-messaging client.

A security researcher who recently identified some vulnerabilities in Lotus Softwares Sametime instant messaging client says the company is being disingenuous about the extent of the flaws and whether theyre fixed in the latest version.

The researcher, who goes by the name Mycelium, says that despite Lotus claims, the vulnerabilities in Sametimes encryption scheme have not been fixed in Version 3.0 and that it is still a trivial matter to recover users keys as well as their passwords. Both a users password and the key used to encrypt the password are sent in the same packet.

"You simply cant send a users credentials somewhere over a network securely unless you either use a key-exchange protocol or you already have a symmetric key agreed on. Windows Sametime 3.0 client does neither," Mycelium claims in a post on the BugTraq mailing list from Monday.

Sametime is mainly used in corporate settings.

Lotus, a division of IBM, did not issue a formal response to the disclosure. However, Ed Brill, one of the Cambridge, Mass., companys marketing executives, addressed it in his blog on the Lotus Web site, saying that the claims are "certainly worth looking into." Brill disputed Myceliums assertions that the flaws exist in the current version of Sametime and said, "The particular vulnerability being reported hasnt been in a shipping version of Sametime for years."

Lotus officials said they believe that the encryption issue was resolved in Version 1.5. "We think its related to an improvement we made to Sametimes encryption in 1.5, but were actively investigating it," said Steve Londergan, senior marketing manager at Lotus. "We take security very seriously."

Lotus officials issued a statement Wednesday saying that the encryption issues Mycelium identified were fixed in version 2.0 and are not present in any subsequent version. The statement also said that the authentication packet the researcher analyzed is one thats used in a re-connection attempt after secure key exchange has already occurred. "The security alert claims that Sametime 3.0 cannot possibly perform secure key exchange with a single packet. This is true, which is why Sametime 3.0 doesnt work that way," the statement said.


In an e-mail interview, Mycelium said that Sametimes encryption scheme is essentially a complete failure at protecting user credentials.

"The bottom line is that Sametime is improperly using encryption as a way to merely obfuscate the users credentials," he said. "They might as well be using ROT13 or a Captain Crunch decoder ring. It would really help if the people at these corporations actually read about the problems before trying to dismiss them as false."

Mycelium added that the encryption problems he found are just the beginning of a series of security issues in Sametime that he plans to disclose in the near future.

"The poor programming practices you see illustrated with these bugs are expressed in other, harder to find and exploit bugs," he said. "Currently, Im working on investigating [denial-of-service] attacks and buffer overflows in Sametime 3.0. Its truly a gold mine."

(Editors Note: This story has been updated since its original posting to add comment from Lotus officials.)