Security vulnerability to user account and server side user data
Zoho stores unencrypted account information in the client side registry (e.g. zohopassword and zohousername keys under HKEY_USERS in Windows XP).
Does this constitute a serious and widespread security vulnerability - e.g. could a server side program steal this information and use it to access user accounts?
If not, what prevents this?
Even if server side theft of user account credentials is theroetically impossible, storing this data in plain ASCII format, and unencrypted, still represents a serious though less widespread vulnerability. This is because someone accessing a vacant terminal, or looking over a user's shoulder etc., would be able to steal their account login credentials.
Given the volume and sensitivity of the information stored in a user's account, this practice is a worryingly sloppy approach to the serious issue of protecting the user's account and server side data from unauthorised access.
Mark
http://www.markhughes.eu
Does this constitute a serious and widespread security vulnerability - e.g. could a server side program steal this information and use it to access user accounts?
If not, what prevents this?
Even if server side theft of user account credentials is theroetically impossible, storing this data in plain ASCII format, and unencrypted, still represents a serious though less widespread vulnerability. This is because someone accessing a vacant terminal, or looking over a user's shoulder etc., would be able to steal their account login credentials.
Given the volume and sensitivity of the information stored in a user's account, this practice is a worryingly sloppy approach to the serious issue of protecting the user's account and server side data from unauthorised access.
Mark
http://www.markhughes.eu