We’ve managed to uncover the backdoor, extract the public key and successfully refactor the matching 512-bit RSA private key. The idea was that the decryption could be only performed by Intuit itself, since the private key was only known to the company. To deliver this service, Intuit hardcoded the 512-bit RSA public key into its products, which was used to protect a copy of the symmetric encryption key (which, in turn, was used to encrypt and decrypt the customer’s data). This backdoor allowed Intuit offering a data recovery service of a kind, unlocking Quicken files if the customer lost their password. While using secure encryption to protect the data, Intuit decided to include a backdoor in its products. In 2007, we discovered a backdoor in Quicken software. From now on, the password must be brute-forced in order to gain access to the encrypted data. Since Quicken 2003, the tool gained the ability to encrypt data. However, prior to 2003, Quicken employed a weak protection scheme that allowed the intruder to break in instantly even if the password was set. Over the years, Quicken had become the de facto standard for accounting, tax reporting and personal finance management in North America.įinances is an extremely sensitive area that demands adequate protection of the user data. Intuit Quicken is one of the oldest tools of its kind.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |