|Affected Products:||libpurple (all versions), libpurple clients with DBUS support (incl. all versions of pidgin), pidgin-otr (all versions)|
|Class:||Information Exposure (CWE-200), Privacy Violation (CWE-359), Information Exposure Through Sent Data (CWE-201)|
|Discovered by:||Dimitris Glynos|
libpurple-based applications broadcast the plaintext of OTR (off-the-record) conversations over DBUS.
This makes the plaintext available to other (possibly unrelated) applications executing under the same
user. Also, due to a design flaw in libpurple, the user’s choice of not logging OTR plaintext on Pidgin is not communicated over to the third party applications listening on DBUS. This may lead to unintentional (on disk) logging of private messages.