Aquarius Desktop Weak Credential Storage Allowing Trivial Password Recovery and Full Account Takeover

A vulnerability in Aquarius Desktop for macOS version 3.0.069 and prior allows for account takeover due to insecure storage of authentication credentials. The application saves passwords in a local file, `aquarius.settings`, using a weak and reversible obfuscation method. This 'encryption' can be easily reversed, enabling an attacker to recover the plaintext password. Once obtained, the password can be used to access the user's Aquarius account, either by importing the stolen settings file into another instance of the application or by logging in through the vendor's website. This vulnerability leads to unauthorized access to cloud-synchronized data and allows the attacker to perform actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for full account takeover, including access to cloud-synchronized data and the ability to perform actions as the user.

Reproduction

The vulnerability can be reproduced by accessing the `aquarius.settings` file, which is located in the user's Library Application Support directory. The file contains the encrypted password, which can be decrypted using a static Blowfish key hardcoded in the application's binary. Once the password is decrypted, it can be used to log into the user's Aquarius account or to import the settings file into another instance of Aquarius Desktop.

Remediation

To address this vulnerability, Aquarius Desktop should stop storing passwords in a reversible format. Instead, the application could use device-bound session tokens that are tied to the specific device and invalidate when transferred elsewhere. Sensitive information should be stored using secure methods, such as the macOS Keychain or Windows DPAPI, rather than in plaintext files in user-writable directories. Implementing integrity checks for local authentication files would also help prevent unauthorized account access.