Elcomsoft Discovers a Quicken Backdoor, and Provides Instant Removal of Quicken Passwords

Share Article

Elcomsoft, a leader in password recovery for major Windows applications, has discovered a backdoor in Intuit's Quicken software. Millions of people worldwide have chosen Quicken as their financial software, in part because of Intuit's assurances that they have taken the steps to protect the privacy of their data by means of a highly secure password system. The latest version of Elcomsoft's Advanced Intuit Password Recovery allows businesses and individuals to remove password protection from Quicken files.

News Image
Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit's undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key.

ElcomSoft, a leader in password recovery for major Windows applications, has discovered a backdoor in Intuit's Quicken software. Millions of people worldwide have chosen Quicken as their financial software, in part because of Intuit's assurances that they have taken the steps to protect the privacy of their data by means of a highly secure password system. The latest version of Elcomsoft's Advanced Intuit Password Recovery allows businesses and individuals to remove password protection from Quicken files.

Beginning with Quicken 2003, Intuit protected its Quicken files with very strong encryption. This protection made it impractical for people to use brute force techniques to discover passwords that would unlock Quicken files.

It appears, however, that Intuit included a backdoor in the product, from Quicken 2003 through Quicken 2007. This backdoor allows Intuit to offer their own affordable service whereby Intuit will unlock a customer's file. To deliver this service, Intuit uses a 512-bit RSA key known only to Intuit. Before Elcomsoft's discovery of Intuit's backdoor, Intuit was the only organization that could unlock their customers' files.

"It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen," said Vladimir Katalov, Elcomsoft's CEO. "Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit's undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key."

Perhaps Intuit included the Quicken backdoor to make it possible for the United States Internal Revenue Service (IRS), FBI, CIA, or other law-enforcement and forensics organizations to use an "escrow key" to gain entry into password-protected Quicken files. Unfortunately, the existence of such a backdoor and escrow key creates a vulnerability that might leave millions of Quicken users worldwide with compromised bank account data, credit card numbers, and income information.

As a service to the community, Elcomsoft has sent an official vulnerability report to CERT. CERT, which is sponsored primarily by the US government's Department of Defense and Department of Homeland Security, is responsible for responding to major security incidents an analyzing product vulnerabilities. CERT was created following the 1988 Morris worm incident which disabled more than ten percent of the Internet.

Advanced Intuit Password Recovery, and all of Elcomsoft's decryption software, runs under Windows NT4/2000/XP/2003/Vista. For more information, please visit http://intuit.elcomsoft.com .

Evaluation Copy Available on Request

About Elcomsoft Co. Ltd.

Since 1990, Elcomsoft Co. Ltd. has been developing and marketing password recovery, forensics, and security software for Windows. In addition to Advanced Intuit Password Recovery and Distributed Password Recovery, the company also offers a comprehensive line of password recovery and password auditing software for popular Microsoft, Lotus, Corel and Adobe software, as well as dozens of popular email clients, compression programs, instant messenger applications, and other applications.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Dmitry Harchenko