Backdoor in Intuit Quicken finance software

Elcomsoft, a Russian vendor of password recovery applications, claims to have discovered a backdoor in Intuit's Quicken finance application. They state that the password for securing data is protected using a 512 bit RSA key known only to Intuit. According to Elcomsoft, Intuit uses the key for a decryption service in order to provide users who have forgotten their passwords with access to their data. Elcomsoft seems to be of the opinion that the central key has also been deposited with state regulatory authorities - without, however, providing any evidence for this assumption.

US-CERT has apparently been informed of the problem. According to the report, all versions of Intuit Quicken from 2003 to 2007 are affected. The company also claims to have succeeded in factorising, i.e. cracking, the 512 bit key. Elcomsoft criticises the fact that the backdoor makes it easier for crackers to obtain access to confidential data, but offers Advanced Intuit Password Recovery (AINPR) with integrated central key among its own products. Should Intuit release an update to resolve this problem, however, this tool would become worthless.

Not many businesses in the UK are likely to be exposed to this problem. As Quicken was withdrawn from sale in the UK in January 2005, only those who have a long-standing commitment to the product are still likely to be using it. However, since product support was also terminated in 2006, no fix will be forthcoming so those users would be well advised to consider migrating to an alternative package.

(mba)