SplashID v7 upgrade security issue - Security Discussion

Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2

sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.

pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse

More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server

Related

SECURITY: passwords storing

I would be really pleased if someone could give me a technical description (a cryptographic one) about how ANDROID stores the user´s private passwords. I mean, how are they are encrypted (if it does)? ¿using what algorithms and keys?
The reason is easy to understand. A normal user gives it´s phone 2 types of passwords that should be protected:
1.- One, is the Google´s main password used by the phone to sync (GMail, Calendar, etc)
2.- The second are the passwords that have been marked in the ANDROID´s browser as: "remembered"
Isn´t hard to imagine a situation in what you phone becames lost and it arrives at hands of someone that (before formatting it) wants to take advantadge or obtain all the phone´s stored passwords.
In fact, reading the internal file system or the SD one, must be almost trivial, and from there obtaining the passwords. ¿How does ANDROID protects the user against it?

[APP]Boardies Password Manager

I have uploaded my first app on to the Android Market and haven't too much interest so far on XDA so I thought I would post a little bit more information about the app.
This is a simple and light weight app that allows you to securely store and easily login to different websites on your phone.
Do you have all your passwords saved into your devices web browser meaning that anyone who has access to your phone can log on to the websites that you’ve accessed. Do you regularly wipe your phone for whatever reason and get annoyed at having to keep typing in your username and password. Then this might be the app for you.
The app will store all the login information that you enter into the app, which include the company name, the web address, username and the password. Each login is listed on the front screen. If you click on the stored login it will load the website and copy the username to the clipboard allowing you to paste into the username field. Also, when you launch the website from the app it will also create a notification. Once you have copied the username you can then click on the notification to copy the password. This way you do not need to switch to and from the app and the browser to copy the login information. Once you have launched the website, the copying of the username and the password is done while the app is running in the background.
All passwords that are stored within the device are encrypted using AES encryption algorithm to ensure your data is safe.
To protect others from accessing the app you can enable a password that needs to be entered before getting access to the app. Also, for added protection you can enable a feature that will automatically reset the app back to first use if the password gets entered incorrectly 3 times.
The app enables you to backup and restore your stored logins to a file on the SD card of your device. Should you need to wipe your phone, or if you get a new device and want to restore the logins onto your new device you can use the file that was generated from the backup in order to restore your data.
Although the App has Internet Access this is only there to enable you to submit bug reports from inside the settings menu and to enabled adverts to support the app development. I promise you, know personal information that you store inside the app is sent over the internet.
The App can be found on the Android Market. There are two versions, one which is a free ad supported version and a donate version which is identical to the free version but doesn't show ads. Please search for Boardies Password Manager.
Thanks
A new update has been released today in order to enable support for Android 2.1 and up. Tests have also been made to ensure that the app works correctly on honeycomb

New Forensics Tool Can Slurp a Phone’s Data via the Cloud

Time to "double wrap" the hat with tin foil...
New Forensics Tool Can Slurp a Phone’s Data via the Cloud
The police don't even need to touch your phone anymore to know how you've been using it. A new off-the-shelf forensics tool lets cops retrieve all the data they want from your iPhone by accessing its contents through iCloud.
The software, developed by ElcomSoft, lets investigators retrieve user data associated with iPhones from Apple's iCloud online backup service, reports The Register. There's a thorough descripton of how the technology works on ElcomSoft's website, but from The Register:
"iCloud backups offer a near real-time copy of information stored on iPhones including emails, call logs, text messages and website visits. iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point.
"'While other methods require the presence of the actual iPhone device being analyzed or at least an access to device backups this is not the case with iCloud,' ElcomSoft chief exec Vladimir Katalov explained. 'With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect.'"
Of course, the solution does require access to the Apple ID and password of the person who's being snooped on and they might not be easy to obtain. But, once those details are in place, the data can be swiftly downloaded, unencrypted. Nice. [ElcomSoft via The Register]
Interesting. I suppose something like this could happen with Google eventually as well, but the only thing that I ever backup are contacts. There was a story posted recently about the FBI issuing a warrant to Google to get access to a pimp's phone because they couldn't crack his unlock pattern.
http://arstechnica.com/tech-policy/...droids-pattern-lock-serves-warrant-on-google/
Even with this, they can only get a limited amount of his data. Google only allows for syncing of Contacts, Calendar, and Gmail, so if he doesn't use it as a main source for data or have his other email linked too it they still won't gain much info. Not sure why the warrant asks for texts because last I checked even Wireless providers only keep logs of numbers texted, not the messages themselves, correct?
Anyway, while this doesn't seem an issue as it requires a warrant, as you said if someone got access to an AppleID and password for malicious purposes it's open season.

Is there a portable password manager that can also log into my computer?

Hello,
I was wondering if there is a password manager out there which can be stored on a flashdrive so that I can plug it in to log into my PC among other applications and websites?
I have never used a password manager before, and since recent scandals involving password theft, I feel like a lot of people are posting about the benefits of a password manager, so I felt I should try a password manager as well. I want to go the whole nine yards though. I want an immersive experience to REALLY get a feel of whether or not I will use a password manager, so I want to change everything, including my google password and Microsoft password, and let my password manager handle keeping them.
However, my Microsoft password is linked to my PC, so my computer password changes when my Microsoft account password changes. If I change it to some randomly generated strong password I would not remember it and would depend entirely on the password manager, which is why I want to know if there is a portable application that can log into my PC for me as well.
Also, my google account is linked to my phone, and it keeps record of my call history, text messages, and contacts. These are things I want to be retained whenever I get a new phone, factory reset my current phone, or clean install a custom ROM, so is there a password manager that handles this as well? The problem with apps is the fact that we need Google Play Store to download and install them officially, and we need a google account to access Google Play Store. I know that I can sideload an apk from my computer to my phone, but let's say I get a new phone at Best Buy and just CAN'T wait to get home and start using it. When I boot up it'll ask for my Google account so it can restore my contacts at the very least, but I'd be dependent on my password manager and will not be able to login without it. Is there something I can do that will allow me to login immediately upon turning on this shiny new device?
I've tried Dashlane, they don't have a remedy for the things above, and it seems like most password managers do not. On top of Dashlane's android overlay doesn't pop up when adding a google account, whether it just be for gmail or other google services. I am pretty sure that my request is a stretch, and if so, I'll probably just continue to manually type in my own passwords, but I figured I'd ask and see if anyone knew of an app that might do what I want or is migrating in that direction.
Thanks,
Weilun

Hacked for sure!!!

Hello group hope you can help me with this most recent conundrum I am what I considered to be a power user but not anywhere near the level of developer I know my way around my phone and that's about it I have basic networking skills. Recently I noticed a few charges on one or two of my accounts such as venmo or cash app those charges quickly escalated to other charges on virtually every single payment platform that I am signed into I'm embarrassed to say it but whoever hacked me got me and I'm positive that it came through my Android phone based on the activity on my Gmail accounts my question is this how can I definitely unequivocally find the footprints in my phone through logcat viewer and or how can I guarantee that they will not be transferred to my new phone once I transfer apps
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Qwerty_in_me said:
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Click to expand...
Click to collapse
thank you for your reply.. what bothers me is google had no record of anything other than my phone logged in. to any account..another tidbit...rules had been created by whomever to send emails relating to my financial stuff to trash and erase. Lastly i had helped a friend log into her cash app one time and her cards had charges from the same period dollar ammount and places...even as recent as today facebook canceled an ad account that wasnt mine but i was paying for it.
Probuilt5337 said:
thank you for your reply.. what bothers me is google had no record of anything other than my phone logged in. to any account..another tidbit...rules had been created by whomever to send emails relating to my financial stuff to trash and erase. Lastly i had helped a friend log into her cash app one time and her cards had charges from the same period dollar ammount and places...even as recent as today facebook canceled an ad account that wasnt mine but i was paying for it.
Click to expand...
Click to collapse
yeah, nuke everything you had and make a new online presance.
I can't say what happened as it sounds like a data breach, but there's some h4xx0r elements there too.
stay safe! Use a password manager and 2fa!
Qwerty_in_me said:
this sounds like a simple stolen password / email scenario.
Change your passwords for every account you have, use different ones for each or better: a password manager like keepassxc - is gud.
database leaks happen quite often and that's why we use different passwords and 2fa for each of our accounts, if you think this isn't just a stolen identity case and you are woried about it, create a new google identity using a new email ( remember the password manager! ) on your new phone, download all your apps from trusted sources and discard all accounts creating new ones (if you have money/sensitive data, transfer it in the safes possible manor) and do a factory reset on your old device for good measure
Click to expand...
Click to collapse
I found the culprit... I had downloaded a copy of miracle thunder from a shady source because I did t want to wait for the paid for edition. Needles to say, again being in a rush, I plugged my personal phone in and remarked "well u get what you pay for this sw is t doing sh*t" ...oh boy was I wrong it was doing plenty.... LESON LEARNED ty everyone for your help.

Categories

Resources