Halloy IRC Application Umask Vulnerability Leading to Credential Disclosure

A vulnerability exists in the Halloy IRC application, specifically in versions for *nix and macOS prior to the latest commit in March 2026. The issue arises because Halloy creates its configuration directory and files with default umask permissions. This typically results in files being set to 0644 and directories to 0755. As a consequence, any local user can read plaintext credentials from the 'config.toml' file or from files referenced by 'password_file' paths. The vulnerability has been patched in the latest commit.

Impact

This vulnerability allows local users to access IRC credentials stored in Halloy's configuration files, including server passwords, NickServ passwords, and SASL passwords. Such exposure could lead to credential stuffing attacks on other services, especially since users often reuse passwords.

Reproduction

To reproduce this vulnerability, install Halloy on a shared *nix or macOS system with the default umask setting. After running the application, which will create a 'config.toml' file in the user's home directory with any server passwords configured, another local user can read this file and access the plaintext credentials. This exploitation is possible because the default umask allows the config file to be readable by others.

Remediation

Users can update to the latest version of Halloy, which addresses the permission issue by setting config directories and files to owner-only permissions.