Quicken Security Backdoor Discovered

June 25, 2007: ElcomSoft, a Russian password-recovery firm, has released details of a newly discovered back door into Intuit Software’s Quicken that could compromise the financial records of millions of users.

Quicken files are protected with a “strong encryption” service that nullifies any chance of a brute force attacked compromising security. However, ElcomSoft claims that alongside this strong encryption Intuit has also included a security backdoor protected by a 512bit RSA, assumedly so it could offer password retrieval services to its customers.

“It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen,” said Vladimir Katalov, ElcomSoft's CEO according to theregister.co.uk. “ElcomSoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit's undocumented and well-hidden back door, and to successfully perform a factorization of their 512-bit RSA key.”

While still heavily fortified, the back door does open up the possibility that if Intuit’s key fell into the wrong hands, the financial information of potentially millions of users could be at risk of exposure or snooping by unauthorised parties.

According to theregister.co.uk, Intuit is taking ElcomSoft’s claims very seriously and is prepared to modify Quicken’s security capabilities if necessary.

ElcomSoft is now offering its own password recovery software for Intuit software. Called Advanced Intuit Password Recovery (AINPR), the company claims the software recovers lost or forgotten passwords from Intuit Quicken, Quicken Lawyer and QuickBooks files.

Comment on this story