Credentials disclosure in Avira Free Antivirus
https://medium.com/@knikolenko/avira-free-antivirus-password-collector-83452fa7f943 …
CVE-2020-12680
@Avira @malwrhunterteam
-
Show this thread
-
Replying to @K_N1kolenko @artem_i_baranov and
I don't understand, what is the vulnerability? Reading/writing to stdio is how native messaging is supposed to work - it's 100% possible they messed it up, but the article doesn't say how and there's no CVE details yet.
2 replies 0 retweets 8 likes -
Replying to @taviso @K_N1kolenko and
I not sure if this something that should get a CVE or not. But it is a real problem: there are files signed by Avira (meaning no AVs detecting it, hopefully at least some will now) that anyone can use very easily to read saved password from browsers.
2 replies 0 retweets 1 like -
Replying to @malwrhunterteam @taviso and
Could you consider the fact that they fail to verify the caller a vulnerability given the functionality and the fact it is signed? I'm leaning towards no but I'm not convinced
1 reply 0 retweets 0 likes
If you're a user of that password manager extension and you just go to http://passwords.avira.com , all of your passwords are right there in the clear. No "master password" or other auth required. What's the novelty here? That you're talking to the extension from the commandline?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.