Swift XMPP Client Desktop 4.0.2 has a Hard-coded Password affecting various sectors (Military, Finance and Government)

Overview

  • Affected product: SWIFT
  • Affected version: 4.0.2Vendor: Isode, SWIFT

Detailed description

On June 1st, Our Green Tick security team was taking a snap-shot of the registry before and after installation in order to see what changes were being made in the registry and our team discovered hard-coded credentials and exposed (username, windows password, certificates, etc.) at Swift XMPP client.
Swift Desktop is a multi-platform XMPP client for instant messaging and multi-user chat. A free and open-source client (with support packages available from Isode), it contains a number of features that make it ideal for use in secure environments such as the Military, Finance, and Government.

  • Severity: High
  • CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  • CVE ID: CVE-2022-32389
  • CWE ID: CWE-798

Proof of concept

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for Isode Ltd. (Swift). The vulnerability was found in Swift XMPP client.  Locate ‘Computer\HKEY_CURRENT_USER\Software\Swift\Swift’ at Registry Editor.
swift cve

Solution / Workaround

We recommend Remove Hardcoded Credentials from Registry editor.