Hacking on Pidgin at RHoKSec at Haxpo on 28-29 May!

Posted on May 24, 2015 in Uncategorized
Hacking on Pidgin at RHoKSec at Haxpo on 28-29 May!

Pidgin, a wonder and versatile Instant Messaging client that anyone can use allows for connecting to a wide-variety of popular chat networks, such as AIM, ICQ, IRC, Jabber, XMPP, Facebook, Google Hangouts, iMessages, etc.

A very interesting feature that IM clients, such as MSN Messenger, back in the day, lacked was end-to-end encryption, something that made the user aware that the communication between them and their instant messaging partner was secure but at a passive level so that they didn’t have to do anything nor worry about all the technical details – just plug and play basically!

The Pidgin IM client allows the attachment of a lot of plugins. Did I say a lot? I mean A LOT! Anything that tickles your fancy can be done. Just a bit of coding skills needed, interface with Pidgin, plug that plug-in in (…) and huzzah!

However, with a lot of plug-ins, you, as the author of it, are responsible for the usability/functionality of the plug-in and of course – the security of it too!
With a lot, did I say..?, yeah yeah, A LOT of plug-ins, they all have a flaw in them because they might depend on libraries written by third-parties, that end up being vulnerable at a later stage, which can either make or break your plug-in. (i.e. GHOST glibc, Bashin’ The Shellshock, Winshock (Hmph! Windows..))

So with these in mind, secure communications…plugins…Pidgin…we stumble upon a rather remarkable plugin based on the Off-the-Record protocol created by Ian Goldberg and Nikita Borisov. It’s cool, it can be integrated into different IM clients, but Pidgin and OTR work so great – especially since it will work to all the networks you connect to. i.e. You’re speaking with your friend on Google using OTR and simultaneously speaking with another friend of yours on AIM! It’s awesome!

…But it has issues. Everything has a flaw. All code can be broken if you actively try to. This includes Pidgin and the OTR plugin!

So! We need people like you to come and give a helping hand! Maybe find a flaw that has not been found yet on the client or the plug-in… or maybe be one of the super-cool people who will actively take the tremendous challenge of getting Pidgin to work on Firefox OS? (I think Mozilla would appreciate a badass chat client like Pidgin being on their OS!)

In reference to the Firefox OS App challenge that RHoKSec is also hosting with Lisha Sterling, they have a suggestion of Mailvelope. Could you imagine this scenario…

You send an e-mail that is PGP encrypted to your buddy which requests them to speak to you on Pidgin, so you fire up Pidgin which has the OTR-plugin, you authenticate and bam! Secure! The NSA would be furious! From A-Z you are secured!

If you want fame and glory, you’ve come to the right place! Let’s make sure that this kickass IM client is secure and if we can, get it onto that Firefox OS so we can all be secure from A-Z!

More info in my brief on the day @RHoKSec @HITBSecConf!

See ya there 53cur1ty n1nj45! – @pr0xy3