Here's one thing I bet the millions of Quicken users probably don't know: Intuit has a secret back door that allows it to access your password-protected financial files -- or so says Elcomsoft, a security software vendor based in Moscow. Elcomsoft claims it has discovered the heretofore undisclosed back door to Quicken files, which would allow Intuit to open the files without a customer's password. Elcomsoft also claims to have cracked the RSA encryption that protects the files. (Elcomsoft did not disclose how many millions of monkeys working on millions of computers it took to factorize the 512-bit key.)
Among other things, Elcomsoft sells password recovery software, so naturally it's hawking a product that can allegedly strip the encryption from Quicken and allow users to access files after their password has disappeared down the memory hole.
According to Elcomsoft:
This backdoor allows Intuit to offer their own affordable service whereby Intuit will unlock a customer's file. To deliver this service, Intuit uses a 512-bit RSA key known only to Intuit. Before Elcomsoft's discovery of Intuit's backdoor, Intuit was the only organization that could unlock their customers' files.
"It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen," said Vladimir Katalov, Elcomsoft's CEO. "Elcomsoft, a respected leader in the crypto community, needed to use its advanced decryption technology to uncover Intuit's undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key."
Perhaps Intuit included the Quicken backdoor to make it possible for the United States Internal Revenue Service (IRS), FBI, CIA, or other law-enforcement and forensics organizations to use an "escrow key" to gain entry into password-protected Quicken files. Unfortunately, the existence of such a backdoor and escrow key creates a vulnerability that might leave millions of Quicken users worldwide with compromised bank account data, credit card numbers, and income information.
Elcomsoft says it has reported this vulnerability to US CERT.
What does Intuit have to say? Nothing yet -- they haven't gotten back to me. If and when they do, I'll post their response here.