FSC-2017-2: Multiple vulnerabilities with F-Secure KEY for Desktop

Vulnerabilities in F-Secure KEY for Desktop could allow an attacker to obtain user's login credentials.

• F-Secure KEY before 4.5.116

• Windows 
• Mac

A security audit of F-Secure KEY for Desktop (version 4.5.116) was conducted by an external researcher and was found to be susceptible to multiple vulnerabilities from low to high risk levels. These includes: 

1. [RISK:LOW] Content of SQLite3 database is not fully encrypted, which could lead to non-sensitive information disclosure.

2. [RISK:MEDIUM] Application does not check domain name of username/password request correctly.

For F-Secure KEY Password Manager browser extension (version 0.9.9.7), multiple vulnerabilities from low to high risk level includes:

3. [RISK:LOW] Autofill function does not check country-code second level domain correctly.
4. [RISK:MEDIUM] Chrome extension does not verify origin of click events.
5. [RISK:MEDIUM] Malicious website could steal credentials for multiple websites.

With the combination of these vulnerabilities 2, 3 and 4, an unauthorized attacker could obtain user's login credentials.

The issues were disclosed to F-Secure directly through our Vulnerability Reward Program and no known attacks has been observed in the wild at the time of the advisory release.

F-Secure KEY for Desktop has to be unlocked prior to successful exploitation. User interaction is also required in certain attack methods prior to successful exploitation. 

F-Secure Corporation would like to thank Tomáš Taro for bringing these issues to our attention.

Date Issued: 2017-10-25
Date Updated: 2017-10-25