The popular Quicken personal finance software has a back door that could be used to access data remotely, according to a Russian security firm.
Moscow-based password-recovery vendor Elcomsoft accused Quicken maker Intuit, of hiding a back door that gives it - and perhaps government agencies - access to users' data.
Intuit called the charges baseless, and said that although there is a way to unlock Quicken's encrypted data, it's only used by the company's support team to help customers who have forgotten their passwords.
In a statement, Elcomsoft said Quicken versions since 2003 have used strong encryption designed to foil hackers. But those editions also have a back door that unlocks the encryption with the 512-bit RSA key that Intuit controls.
"It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen," Vladimir Katalov, Elcomsoft's CEO, said in the statement. "[We] needed to use advanced decryption technology to uncover Intuit's undocumented and well-hidden back door, and to successfully perform a factorisation of their 512-bit RSA key."
Elcomsoft then theorised that Intuit added the back-door so law enforcement and other authorities, from the US Internal Revenue Service (IRS) to the FBI, could open password-protected Quicken files. "Unfortunately, the existence of such a back-door and key creates a vulnerability that might leave millions of Quicken users with compromised bank account data, credit card numbers and income information," Elcomsoft charged.
Harry Pforzheimer, who heads Intuit's communications, dismissed the idea. "We certainly do not design any of our products with any access for any agency," Pforzheimer said. "If any government agency wanted to get into a Quicken file, they have lots of other ways of doing it."
Pforzheimer acknowledged that there is a way to access encrypted Quicken files without a password, but that the ability is hardly secret. "It's for Quicken users who have forgotten their passwords - and only done when they call customer service or support."
In fact, a quick search of Quicken's support site revealed what Intuit calls its "password removal service," which for $9.95 per file, scrubs out the password and then returns the unprotected file to the user.
Pforzheimer was mystified by Elcomsoft's allegations. "We heard from them only a couple of days ago via email," he said.
Elcomsoft was in the news nearly six years ago, when in 2001 one of its employees was arrested at a Las Vegas hackers conference after giving a presentation about company software that unlocked the copy protection on Adobe System's eBooks. Charges against Dmitry Sklyarov were later dropped in return for his testimony during an ensuing trial, in which the Russian company was brought up on criminal charges under 1998's Digital Millennium Copyright Act (DMCA). Elcomsoft was acquitted on all charges in a jury trial that ended in December 2002.
Elcomsoft officials were not available for comment.