CVE-2022-32389-Swift XMPP Client Desktop 4.0.2 has a Hard-coded Password affecting various sectors (Military, Finance and Government)
Description
On June 1st, Our Green Tick security team was taking a snap-shot of the registry before and after installation in order to see what changes were being made in the registry and our team discovered hard-coded credentials and exposed (username, windows password, certificates, etc.) at Swift XMPP client.
Swift Desktop is a multi-platform XMPP client for instant messaging and multi-user chat. A free and open-source client (with support packages available from Isode), it contains a number of features that make it ideal for use in secure environments such as the Military, Finance, and Government.
Evidence
The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for Isode Ltd. (Swift). The vulnerability was found in Swift XMPP client.
Locate 'Computer\HKEY_CURRENT_USER\Software\Swift\Swift' at Registry Editor.
References
https://gtn.com.np/storage/2022/06/SWIFT-CVE-REQUEST.pdf
https://nvd.nist.gov/vuln/detail/CVE-2022-32389
https://www.tenable.com/cve/CVE-2022-32389