Backdoor discovered in popular financial planning software

Elcomsoft has discovered a backdoor in Intuit’s Quicken software. Millions of people worldwide have chosen Quicken as their financial software, in part because of Intuit’s assurances that they have taken the steps to protect the privacy of their data by means of a highly secure password system. The latest version of Elcomsoft’s Advanced Intuit Password Recovery allows businesses and individuals to remove password protection from Quicken files.
 
Beginning with Quicken 2003, Intuit protected its Quicken files with very strong encryption. This protection made it impractical for people to use brute force techniques to discover passwords that would unlock Quicken files.
 
It appears, however, that Intuit included a backdoor in the product, from Quicken 2003 through Quicken 2007. This backdoor allows Intuit to offer their own affordable service whereby Intuit will unlock a customer’s file. To deliver this service, Intuit uses a 512-bit RSA key known only to Intuit. Before Elcomsoft’s discovery of Intuit’s backdoor, Intuit was the only organization that could unlock their customers’ files.
 
“It is very unlikely that a casual hacker could have broken into Quicken’s password protection regimen,” said Vladimir Katalov, Elcomsoft’s CEO. “Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit’s undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key.”
 
The existence of such a backdoor and escrow key creates a vulnerability that might leave millions of Quicken users worldwide with compromised bank account data, credit card numbers, and income information.