Security Advisories

FSC-2017-2: Multiple vulnerabilities with F-Secure KEY for Desktop

Description

Vulnerabilities in F-Secure KEY for Desktop could allow an attacker to obtain user's login credentials.

Affected Products

Risk Level (Low/Medium/High/Critical): Medium

  • F-Secure KEY before 4.5.116

Platforms

Risk Level (Low/Medium/High/Critical): Medium

  • Windows
  • Mac

More Information

A security audit of F-Secure KEY for Desktop (version 4.5.116) was conducted by an external researcher and was found to be susceptible to multiple vulnerabilities from low to high risk levels. These includes: 

     1. [RISK:LOW] Content of SQLite3 database is not fully encrypted, which could lead to non-sensitive information disclosure.
     2. [RISK:MEDIUM] Application does not check domain name of username/password request correctly.

For F-Secure KEY Password Manager browser extension (version 0.9.9.7), multiple vulnerabilities from low to high risk level includes:

     3. [RISK:LOW] Autofill function does not check country-code second level domain correctly.
     4. [RISK:MEDIUM] Chrome extension does not verify origin of click events.
     5. [RISK:MEDIUM] Malicious website could steal credentials for multiple websites.

 

With the combination of these vulnerabilities 2, 3 and 4, an unauthorized attacker could obtain user's login credentials.

The issues were disclosed to F-Secure directly through our Vulnerability Reward Program and no known attacks has been observed in the wild at the time of the advisory release.

 

Mitigating Factors

F-Secure KEY for Desktop has to be unlocked prior to successful exploitation. User interaction is also required in certain attack methods prior to successful exploitation. 

Fix Available

Product Versions Download
F-Secure KEY for Windows 4.6.112

Fix is made available by updating upon being prompted by the application.

For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_win.msi

Additionally, at their own discretion, users may opt to change the passwords stored in the application.

F-Secure KEY for Mac 4.6.112

Fix is made available by updating upon being prompted by the application.

For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_mac.dmg

Additionally, at their own discretion, users may opt to change the passwords stored in the application.

 

Credits

F-Secure Corporation would like to thank Tomáš Taro for bringing these issues to our attention.

Date Issued: 2017-10-25
Date Updated: 2017-10-25