SplashID Safe: Serious security flaw

luckycharms

macrumors member
Original poster
Nov 25, 2010
55
0
Hi Folks,

I'm dissemenating the news here, because when I try to post on the SplashData forums, the moderators censor my post.

SplashID Safe for iOS has a serious security flaw, as uncovered by the elcomsoft team: http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

from the whitepaper:
SplashID Safe for iPhone: ... It stores master password in the database using reversible encryption. That is, it uses hard-coded key “g.;59?^/0n1X*{OQlRwy” to encrypt master password using Blowfish algorithm and then stores the result in the database. Obviously, the master password can be instantly recovered by sinply decrypting the data.
I am posting this not to encourage hacking (I *use* SplashID!), but rather to force the hand of the otherwise unresponsive SplashData development team.
 

iosfan

macrumors newbie
May 23, 2012
1
0
Old news: that flaw in the iPhone version was fixed in release 6.1

SplashData actually did respond to that with a new version of SplashID Safe, and pretty quickly: it was fixed in release 6.1 for iPhone and iPad. Update is free for all reg'd users on desktop and iOS.
 

luckycharms

macrumors member
Original poster
Nov 25, 2010
55
0
I just heard back from SplashData, and you're right - they did fix it. I have no idea why they would then censor my questions on their forum, but they did, and that's unfortunate.

I corresponded with one of the authors of the whitepaper exposing the flaw, and here's what he had to say:
Yes, it is correct that SplashID application has been fixed. It now removes encrypted password from the database on launch. However, if you change master password, encrypted password is written to the DB again and stays there until program is re-launched (i.e. by killing the application and restarting it, or rebooting a phone).
 

splashdata

macrumors newbie
May 11, 2011
2
0
Hi luckycharms,

As far as I know, we have not knowingly censored your posts on our forum. We do have very strict forum anti-spam rules due to an infestation earlier this year, and you may have gotten mistakenly caught in the net. If you let me know your username, I can see about approving your threads.

As for the security issue discovered by Elcomsoft, it was fixed in 6.1, and we have been in communication with them since the release of 6.1 to further improve the security of SplashID in future updates. Version 6.2 is coming soon to address additional more minor concerns.

Please let me know if you have any other questions.

-Justin
SplashData
 

luckycharms

macrumors member
Original poster
Nov 25, 2010
55
0
thanks for the reply, justin, and glad to hear you remain in contact with the researchers. Now that the question has been answered, I'm not concerned with the content of the posts. When I posted the messages, it said they were waiting for moderator approval before being allowed through. Not sure why they never showed up on the forum, but might be nice to make sure people are able to post there without getting dumped in spam or otherwise.
 

GanseTan

macrumors newbie
Oct 3, 2015
1
0
Speaking of flaws, does anyone know of a flaw in SplashID Safe (Mac 10.9.5 desktop version) which allows a hack or virus to deny you access to the software? Or is this a major bug? My SplashID Safe worked for a month until last week, when a popup window asks me to go PRO subscription, and whatever I do (close it, sign up for a year, sign up for a month) it reappears if I try to access any navigation button on the software (see my data, change settings...) thereby denying my access to my data, passwords, web and bank logins. Technical support has not been able to fix this yet (11 days now) and say I will have to delete my data and reinstall. Is this a bug, a hack, a virus?
 

Similar threads

  • alamagator
6
Replies
6
Views
1K
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.