Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

SplashID Safe: Serious security flaw

L

luckycharms

macrumors member
Original poster
Nov 25, 2010
59
1
Hi Folks,

I'm dissemenating the news here, because when I try to post on the SplashData forums, the moderators censor my post.

SplashID Safe for iOS has a serious security flaw, as uncovered by the elcomsoft team: http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

from the whitepaper:
SplashID Safe for iPhone: ... It stores master password in the database using reversible encryption. That is, it uses hard-coded key “g.;59?^/0n1X*{OQlRwy” to encrypt master password using Blowfish algorithm and then stores the result in the database. Obviously, the master password can be instantly recovered by sinply decrypting the data.
Click to expand...

I am posting this not to encourage hacking (I *use* SplashID!), but rather to force the hand of the otherwise unresponsive SplashData development team.
 
Old news: that flaw in the iPhone version was fixed in release 6.1

SplashData actually did respond to that with a new version of SplashID Safe, and pretty quickly: it was fixed in release 6.1 for iPhone and iPad. Update is free for all reg'd users on desktop and iOS.
 
I just heard back from SplashData, and you're right - they did fix it. I have no idea why they would then censor my questions on their forum, but they did, and that's unfortunate.

I corresponded with one of the authors of the whitepaper exposing the flaw, and here's what he had to say:
Yes, it is correct that SplashID application has been fixed. It now removes encrypted password from the database on launch. However, if you change master password, encrypted password is written to the DB again and stays there until program is re-launched (i.e. by killing the application and restarting it, or rebooting a phone).
Click to expand...
 
Hi luckycharms,

As far as I know, we have not knowingly censored your posts on our forum. We do have very strict forum anti-spam rules due to an infestation earlier this year, and you may have gotten mistakenly caught in the net. If you let me know your username, I can see about approving your threads.

As for the security issue discovered by Elcomsoft, it was fixed in 6.1, and we have been in communication with them since the release of 6.1 to further improve the security of SplashID in future updates. Version 6.2 is coming soon to address additional more minor concerns.

Please let me know if you have any other questions.

-Justin
SplashData
 
thanks for the reply, justin, and glad to hear you remain in contact with the researchers. Now that the question has been answered, I'm not concerned with the content of the posts. When I posted the messages, it said they were waiting for moderator approval before being allowed through. Not sure why they never showed up on the forum, but might be nice to make sure people are able to post there without getting dumped in spam or otherwise.
 
Speaking of flaws, does anyone know of a flaw in SplashID Safe (Mac 10.9.5 desktop version) which allows a hack or virus to deny you access to the software? Or is this a major bug? My SplashID Safe worked for a month until last week, when a popup window asks me to go PRO subscription, and whatever I do (close it, sign up for a year, sign up for a month) it reappears if I try to access any navigation button on the software (see my data, change settings...) thereby denying my access to my data, passwords, web and bank logins. Technical support has not been able to fix this yet (11 days now) and say I will have to delete my data and reinstall. Is this a bug, a hack, a virus?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back