A vulnerability in “libotr,” the C code implementation of the Off-the-Record (OTR) protocol that is used in many secure instant messengers such as ChatSecure, Pidgin, Adium and Kopete, could be exploited by attackers to crash an app using libotr or execute remote code on the user’s machine.
“An attacker could execute his own code inside the instant messaging application. He could hack the victims computer using this or alternatively just steal the encryption keys and the chat logs from the messenger,” Markus Vervier, managing director of German app sec testing firm X41 D-SEC and discoverer of the vulnerability told Help Net Security.
