Vulnerabilities in F-Secure KEY for Desktop could allow an attacker to obtain user's login credentials.
A security audit of F-Secure KEY for Desktop (version 4.5.116) was conducted by an external researcher and was found to be susceptible to multiple vulnerabilities from low to high risk levels. These includes:
1. [RISK:LOW] Content of SQLite3 database is not fully encrypted, which could lead to non-sensitive information disclosure.
2. [RISK:MEDIUM] Application does not check domain name of username/password request correctly.
For F-Secure KEY Password Manager browser extension (version 0.9.9.7), multiple vulnerabilities from low to high risk level includes:
3. [RISK:LOW] Autofill function does not check country-code second level domain correctly.
4. [RISK:MEDIUM] Chrome extension does not verify origin of click events.
5. [RISK:MEDIUM] Malicious website could steal credentials for multiple websites.
With the combination of these vulnerabilities 2, 3 and 4, an unauthorized attacker could obtain user's login credentials.
The issues were disclosed to F-Secure directly through our Vulnerability Reward Program and no known attacks has been observed in the wild at the time of the advisory release.
F-Secure KEY for Desktop has to be unlocked prior to successful exploitation. User interaction is also required in certain attack methods prior to successful exploitation.
Product | Versions | Download |
---|---|---|
F-Secure KEY for Windows |
4.6.112 | Fix is made available by updating upon being prompted by the application. For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_win.msi Additionally, at their own discretion, users may opt to change the passwords stored in the application. |
F-Secure KEY for Mac | 4.6.112 | Fix is made available by updating upon being prompted by the application. For a new installation, the installer can be downloaded from https://download.sp.f-secure.com/key/f-secure_key_mac.dmg Additionally, at their own discretion, users may opt to change the passwords stored in the application. |
F-Secure Corporation would like to thank Tomáš Taro for bringing these issues to our attention.
Date Issued: 2017-10-25
Date Updated: 2017-10-25