Studiometry – Insecure Password Storage

Product Studiometry
Severity High
CVE Reference N/A
Type Insecure Password Storage

Description

Studiometry is a project and client management tool that is directed at small business. The tool comes in several forms with both a Windows and Mac OSX implementation. Additionally, cloud services are provided as well as an iOS mobile application. The Windows version of the application was tested but the advisory could affect the iOS and Mac OSX implementations. The configuration was that of a self-administered Studiometry server that a small business would be likely to use.

It was discovered that Studiometry stores user account passwords in encoded base64 format on both the server and its clients.

Impact

An attacker that has obtained access to a Studiometry database stored either on the server or one of its clients could easily decode all the users’ passwords for the application.

Cause

Insecure design and database management.

Solution

Update to Studiometry 12.6.1.

Technical Details

Please refer to the attached advisory above.

Further Information

 http://oranged.net/studiometry/versionhistory/

Detailed Timeline

Date Summary
11 Jul 2016 Issue reported to vendor
11 Jul 2016 Response received from vendor
13 Jul 2016 Vendor provided beta with patches for testing. Vulnerability verified as fixed in beta.
14 Jul 2016 Vendor notified MWR that an official patch would be released 2016-07-25.
25 Jul 2016 Oranged Software released official patched version 12.6.1 of Studiometry