Uniqkey Password Manager 1.14 Credential Disclosure

Uniqkey Password Manager version 1.14 suffers from a credential disclosure vulnerability.

MD5 | ea9c2c93343ceb1f6e52414d9161ee11

Uniqkey Password Manager 1.14 contains a vulnerability which causes remote credential disclosure under certain conditions.



When entering new credentials to a site that isn't registered within
the password manager, a pop-up window will appear asking the user
if they want to save these new credentials. This pop-up window will
stay on any page the user visits within the browser until a
decision is made. The code of the pop-up window can be read by remote
servers and contains the login credentials and URL in cleartext.
A malicious server could easily grab this information from the pop-up.
This vulnerability is related to id="uniqkey-password-popup" and password-popup/popup.html.


Update to the current version.

Vendor contacted: 5th Jan 2019
Issue fixed : 23rd Jan 2019
Bug Bounty paid: 4th Feb 2019

The vendor was very professional and responded well most of the time.

Related Posts