| Titre | AliasVault v0.25.3 Insecure Storage of Sensitive Information |
|---|
| Description | AliasVault versions 0.25.3 for iOS stored sensitive authentication and cryptographic data in plaintext in its shared container and UserDefaults plist files. The application did not exclude these files from iCloud or device backups. Sensitive values included access tokens, refresh tokens, key derivation parameters, and authentication metadata.
An attacker with access to a device backup or during device transfer could steal these sensitive values and compromise user accounts and active sessions. The vulnerability was fixed in version 0.26.0 by marking the shared container and relevant UserDefaults files as excluded from backups (isExcludedFromBackup=true).
Affected Files:
• <app_sandbox>/Library/GroupContainers/<group_identifier>/UserDefaults/<plist_name>.plist
• <app_sandbox>/Library/Preferences/net.aliasvault.app.plist
Fixed In: 0.26.0
References:
• Pull Request: https://github.com/aliasvault/aliasvault/pull/1499
• Pull Request: https://github.com/aliasvault/aliasvault/pull/1499/changes/b6bf747f775cf527014540989f7bd0b9f0091720
• Commits: https://github.com/aliasvault/aliasvault/commit/0bd662320174d8265dfe3b05a04bc13efc960532 |
|---|
| La source | ⚠️ https://github.com/aliasvault/aliasvault/issues/1497#event-22294539220 |
|---|
| Utilisateur | nmaochea (UID 95128) |
|---|
| Soumission | 11/02/2026 06:10 (il y a 3 mois) |
|---|
| Modérer | 22/02/2026 15:47 (11 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 347340 [AliasVault App jusqu’à 0.25.3 sur Android/iOS Backup aliasvault.xml divulgation d'information] |
|---|
| Points | 0 |
|---|