Studiometry – Insecure Password Storage

    Type

  • Insecure Password Storage

    • Severity

  • High

    • Affected products

  • Studiometry

    • CVE Reference

  • N/A
Timeline
2016-07-11Issue reported to vendor
2016-07-11Response received from vendor
2016-07-13Vendor provided beta with patches for testing. Vulnerability verified as fixed in beta.
2016-07-14Vendor notified MWR that an official patch would be released 2016-07-25.
2016-07-25Oranged Software released official patched version 12.6.1 of Studiometry

Description

Studiometry is a project and client management tool that is directed at small business. The tool comes in several forms with both a Windows and Mac OSX implementation. Additionally, cloud services are provided as well as an iOS mobile application. The Windows version of the application was tested but the advisory could affect the iOS and Mac OSX implementations. The configuration was that of a self-administered Studiometry server that a small business would be likely to use.

It was discovered that Studiometry stores user account passwords in encoded base64 format on both the server and its clients.

Impact

An attacker that has obtained access to a Studiometry database stored either on the server or one of its clients could easily decode all the users’ passwords for the application.

Cause

Insecure design and database management.

Solution

Update to Studiometry 12.6.1.

Technical Details

Please refer to the attached advisory above.

Further Information

 http://oranged.net/studiometry/versionhistory/