FTPPro v.7.5 FTPPro stores credit card information in multiple locations, unprotected, and in plain text. The program consists of 2 files, FTPPro20.exe and FTPPro20.hlp. These files do not require their directory to be in the working %PATH% statement. When the program initializes for the first time, it creates a key in the registry: \HKEY_LOCAL_MACHINE\SOFTWARE\FTPPro98c This key is set with the following permissions: Administrator (Full Control) Creator Owner (Full Control) Everyone (Special Access - Query Value Set Value Create Subkey Enumerate Subkeys Notify Delete Read Control) System (Full Control) The primary purpose of this key is not to store any real program related information, but to store license and registration information. Among the keys and their data are: Credit Card # Credit Card Expiration Date Credit Card type (VISA, MC, etc.) Name, Address, City, State, Zip, Phone The program will not submit the registration information until all of the above information (and more) is provided. All of this information is stored in the registry unprotected. The only relevant program information stored under this key is the program version and the "LastRunDate". In addition to entering all of the above data into the registry, the program provides a "Register Offline" option. This option will create a text file called "Register.txt" in the program working directory containing all of the above information in clear text. Sabine Consulting, the program distributors, have been notified.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:28 PDT