In the course of implementing Credence, we found two critical vulnerabilities in the popular LimeWire client. The links below describe these problems:

The vulnerabilities allow anyone on the network to read any file on a machine that is connected to the Gnutella network with the LimeWire client. The first vulnerability can be exploited even if the host is behind a firewall. A simple telnet client is sufficient to take advantage of these vulnerabilities.

We contacted LimePeer on February 26, 2005 with a description of these problems. LimeWire responded immediately and had a patch ready within a few hours. They were very responsive, forthright, and diligent; the patch completely addresses these problems. If you are a LimeWire user, please UPDATE YOUR CLIENT to Credence 1.2 or LimeWire 4.8.0 (or above)!!!

Credence Project Page Logo

Computer Science Department
Cornell University