Studiometry – Insecure Password Storage
Description
Studiometry is a project and client management tool that is directed at small business. The tool comes in several forms with both a Windows and Mac OSX implementation. Additionally, cloud services are provided as well as an iOS mobile application. The Windows version of the application was tested but the advisory could affect the iOS and Mac OSX implementations. The configuration was that of a self-administered Studiometry server that a small business would be likely to use.
It was discovered that Studiometry stores user account passwords in encoded base64 format on both the server and its clients.
Impact
An attacker that has obtained access to a Studiometry database stored either on the server or one of its clients could easily decode all the users’ passwords for the application.
Cause
Insecure design and database management.
Solution
Update to Studiometry 12.6.1.
Technical Details
Please refer to the attached advisory above.
Further Information
http://oranged.net/studiometry/versionhistory/