0

I'm here to consult those who know more about encryption issues, since I do not have much knowledge on the subject.

A few years ago, I acquired a program that allows me to store information in a single file. The program had to protect the folders with password, and I was putting it to the test, until I discovered how to access that information (supposedly encrypted) without entering the password.

This is where I ask how is it possible that I could access the information through the same program and without entering the password if the file is encrypted? Should not I have obtained illegible information?

As far as I know, by entering the password, the file is decrypted and readable. But in this case, the developer says it uses encryption and I managed to access the information without the password. What he says is not real? There are different types of encryption?

MarianoM
  • 125
  • 6
  • Unfortunately nothing is known about the program you were using and what the authors of the program claim the program is doing vs. what you understand this program should do vs. what the program is really doing. Based on this lack of information it is impossible to say what's going on. – Steffen Ullrich Jan 12 '19 at 10:06
  • @SteffenUllrich Thank you! The truth is that I asked and I was not so sure because I suspected that they would answer something like that. The reason why I do not give the name of the program is because I am the only one who has discovered the BUG and although it was corrected, the previous versions can be used in a malicious way with the people who have stored important information. And on the other hand, I'm not sure the developer agrees to share this BUG. – MarianoM Jan 12 '19 at 10:59
  • Your comment suggests to me that your question is about a bug which was acknowledged by the developer and where you want to know how such a bug could happen. But I did not understand your question the same way. Anyway, there are still too few details to determine what could have happened. But, if the developer of the product acts responsible he should inform all the customers about the problem and ideally also provide sufficient details in which circumstances the issue could happen so that the customers are able to determine if their data was at risk. – Steffen Ullrich Jan 12 '19 at 11:07
  • @SteffenUllrich I agree with you and this is something that worries me for those who trust him fully. As soon as I discovered it, I reported it and asked if it was going to give explanations, but it only said that it launched the update that corrects the failure and informed in the changelog that the update is a high priority since a malicious user could access the protected folders by passwords. Even so, this worries me because although the new versions are corrected, I think you can still access it from old versions (I have to confirm it). – MarianoM Jan 12 '19 at 11:29
  • @SteffenUllrich I just confirmed that with the previous versions of the software you can access the information protected by password as you suspected. To solve this and not be accessible with any previous version, the developer should change the format of the database or provide a fix for the user to apply to it. I suspect that it is a very serious failure and that you should solve it in this way so that in none of the previous versions can you view the information without entering a password. What would you do in my place? – MarianoM Jan 13 '19 at 17:20
  • This means the bug actually is still there even though the new software version does not trigger it. This means essentially that the developer ignores the actual bug. Questions like [Where to publicly report a vulnerability, after developer ignores it?](https://security.stackexchange.com/questions/130961/) and [How does responsible disclosure work, once vendor says it's not a security bug?](https://security.stackexchange.com/questions/124736/how-does-responsible-disclosure-work-once-vendor-says-its-not-a-security-bug) should help you in this case. – Steffen Ullrich Jan 13 '19 at 17:24
  • @SteffenUllrich Thank you so much for everything! I am going to inform myself more and see how I can write the message in a way that is not annoying for the developer either. Because I am usually a translation collaborator I would not want you to bother with me for trying to solve the problem that affects other people. – MarianoM Jan 13 '19 at 23:09
  • @SteffenUllrich Finally after insisting, I received a response from the developer. Although he did not give me any date of the term that the solution will take, he told me that he must make a change in the architecture of the database format. In addition, he has requested that in the meantime NOT disclose the information to prevent malicious users from affecting the user data. Will I just have to wait or is it advisable to set a deadline? Keep in mind that the database must be more than proven to be stable. – MarianoM Jan 18 '19 at 11:21
  • The past has shown that no deadlines often result in no or very late fixes. But since it is not uncommon that others will detect the same problem it is advised to act quickly. But this is another topic - https://security.stackexchange.com/questions/145014/what-are-the-pros-and-cons-of-disclosing-a-vulnerability-before-it-is-patched – Steffen Ullrich Jan 18 '19 at 11:47
  • Thank you very much for everything @SteffenUllrich! Now I have a better basis to know how to act the next time I get a similar experience. Have a nice day! – MarianoM Jan 18 '19 at 13:48

1 Answers1

1

If you can read it without the password either it is not encrypted or the encryption is key is not tied to the password. I had seen such a thing in an Android app. User data was encrypted and stored in the DB. When activity B is opened data was decrypted and displayed to the user. To be able open activity B you had to enter a password on activity A. If the password is correct activity A starts activity B. But when a root user force opens the activity B data is still decrypted and displayed to the user. We don't have enough info to answer your question but it could be something like this.

b4da
  • 700
  • 1
  • 7
  • 20
  • Interesting information, Thank you very much! It could be something similar, but I really asked because I thought it was something very simple to deduce and I wanted to read expert opinions; I see that it is more complex than it seems. I do not share more information because I am the only one who knows the BUG and I fear that previous versions of the program will be used to access confidential information of the people who use it. And on the other hand, I'm not sure the developer agrees to share this BUG. – MarianoM Jan 12 '19 at 11:04