Studiometry – Insecure Password Storage
- Published: 26 Jul 2016
Studiometry – Insecure Password Storage
Share
Type
- Insecure Password Storage
Severity
- High
Affected products
- Studiometry
CVE Reference
- N/A
Timeline
| 2016-07-11 | Issue reported to vendor |
| 2016-07-11 | Response received from vendor |
| 2016-07-13 | Vendor provided beta with patches for testing. Vulnerability verified as fixed in beta. |
| 2016-07-14 | Vendor notified MWR that an official patch would be released 2016-07-25. |
| 2016-07-25 | Oranged Software released official patched version 12.6.1 of Studiometry |
Description
Studiometry is a project and client management tool that is directed at small business. The tool comes in several forms with both a Windows and Mac OSX implementation. Additionally, cloud services are provided as well as an iOS mobile application. The Windows version of the application was tested but the advisory could affect the iOS and Mac OSX implementations. The configuration was that of a self-administered Studiometry server that a small business would be likely to use.
It was discovered that Studiometry stores user account passwords in encoded base64 format on both the server and its clients.
Impact
An attacker that has obtained access to a Studiometry database stored either on the server or one of its clients could easily decode all the users’ passwords for the application.
Cause
Insecure design and database management.
Solution
Update to Studiometry 12.6.1.
Technical Details
Please refer to the attached advisory above.