[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Pilot Private Data Not So Private
From:       Aleph One <aleph1 () DFW ! NET>
Date:       1997-01-28 12:56:49
[Download RAW message or body]

Subject: Pilot Private Data Not So Private
From: "Dick" <rwisler@i-d.com>
Date: 21 Jan 1997 00:33:01 GMT
Message-ID: <01bc0732$68783980$473bbccc@wisler>
Organization: Infinite-Dimension, Seattle WA
Newsgroups: comp.sys.palmtops

This may have been noted before, but being new to the Pilot, I've
discovered something very disturbing.  One of the key features I've looked
for in a PDA is the ability to maintain private records.  This gives me the
ability carry PIN numbers, system passwords, and other private information
with me and throw away the little pieces of paper that had that information
on them and were 'hidden' in my wallet.  The Pilot seemed to satisfy this
need.

Well that information is as private as your nearest text editor, once you
sync with your PC.  Seems that the desktop application creates a directory
under the Pilot directory that is named your Pilot username.  Under that is
a sub-directory for address, memo, etc.  Open that and you will find a .bak
and.dat file.  Open them in any text editor and there is all your 'private'
data, ready for anyone to look at.  Really bad on my work computer, because
others may look at or use my PC while I'm gone.  So my PIN numbers and
passwords are there for the taking.  The only thing private about this
information is if you use the application software.  Then the record is
hidden until you view them with the correct password.

This is a serious security flaw in the product (in my opinion).  Certainly,
there is no mention or warning about this in the Pilot documentation.  And
it doesn't take a rocket scientist to figure out how to view the data.

So, beware of your private data...it isn't too hard to look at of you share
a PC with co-works or family.

[prev in list] [next in list] [prev in thread] [next in thread]