So my “problem” is the following, I have found out that all chats are stored unencrypted in the file: C:\Users\Username\AppData\Roaming\pascom Client\client.db. People with the appropriate rights (whether admins, attackers or, a user on a terminal server, in the case of a misconfiguration) would therefore be able to read the chats of all users…
I already made an article about this here in the forum a few months ago, but I haven’t heard anything about it, so I’m posting here again because I think this is a big issue in terms of security…
You can open it with an SQLite viewer (there are also some online if you do this with a test user where the chats are not confidential), there you can see everything under the chatmessage table in a clearer and easier to read way.
It’s quite usual for applications to store confidential data on your disk without any encryption. If you’re using firefox and are automatically logged in at any webpage, cookies are stored on your disk without any encryption in an sqlite file (checked it on macos)
If someone hijacks this file due to messed up permissions, he’ll be able to steal every single session, that you have on any website.
I don’t have a problem with the permissions, I just noticed it and in the cases mentioned it can happen. And just because everyone does it this way, can’t pascom be more advanced and secure? After all, you pay for licenses for their service, so surely I can expect something more than just the minimum of what is required? Or not?
(checked it on macos)