A recent statement released by ElcomSoft, a Russian maker of password-recovery tools, claims that Quicken versions since 2003 have a backdoor that unlocks the strong encryption in the product with a secret 512-bit RSA controlled by Intuit.
ElcomSoft accused Intuit of hiding this backdoor to give itself — and perhaps government agencies — access to users' data. Though Intuit does not deny the presence of the backdoor, it is adamant that this ability was only meant to be used by the company's support team to help customers who have forgotten their passwords.
This seems to be in order, as a quick search of Quicken's support site revealed what Intuit bills as its "password removal service," which will extricate forgotten or misplaced passwords to the user at $9.95 per file.
Even ElcomSoft admits that it is unlikely this backdoor could be taken advantage of by malicious third-parties, according to the Computer World article, Russians say Quicken back door could give feds access to finance data:
"It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen," Vladimir Katalov, ElcomSoft's CEO, said in the statement. "[We] needed to use advanced decryption technology to uncover Intuit's undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key."
It is very probable that ElcomSoft made its allegations as part of a marketing ploy to draw attention to its suite of password-recovery products.
Still, the fact remains that a very well-known and popular product has a built-in backdoor that allows circumvention of its own encryption safeguards. Would you knowingly recommend and purchase such a product, whether it be for personal or corporate use?
Any rants or insights to share? Join the discussion.
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.