We help IT Professionals succeed at work.

Winamp Authentication Flaw

abnc
abnc asked
on
Medium Priority
313 Views
Last Modified: 2008-03-17
I know this problem with Winamp has been around for awhile (http://www.securiteam.com/windowsntfocus/5LP0M0A75G.html), but I have not found a solution. Does anyone know how to solve the problem of preventing Winamp from storing the username and password for streaming connections in plain text file? It does not make sense for such a practice to be done since any user of the computer can simply look at the plain text file and get the credentials that the previously user had to access protected content.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What version of Winamp do you have? That's referring to a pretty old version (current version is 5, that bug was before version 3).

But at the time, security wasn't nearly as big a worry. But in the present day context, you're right, that should not have been done. But programmatically, it's easier, even though it's a hell of a lot less secure.

Author

Commented:
Every user that I have spoken with that connects to our protected stream using Winamp has the same flaw. Version run from 5.18 right up to the lastest which is 5.21 (I believe). It makes me want to block all Winamp users, but that wouldn't make a lot of people happy. Just wondering what could be done to close the security hole.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Well, not too much... other than maybe finding a program to erase the history of Winamp. You MIGHT find something in here, but I can't promise it'll address that flaw. The biggest thing is really having AOL rewrite parts of the program to actually hash and more securely store that sort of information if it really needs it.

http://www.snapfiles.com/Shareware/security/swcookie.html

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Well, I appreciate the responses. I have attempted to post on Winamp forum but for some reason don't have permission to post, although I am a registered user. I will submit my suggestion they at least not store credentials in plain text. We certainly have come far enough in technology to eliminate such needless storage of key information.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You're right, it's a very valid point. I wonder if they had ever attempted to fix that in Winamp 3... but of course, that was very much a failed experiment regardless. Hopefully by Winamp 6, that'll be a security hole of the past.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.