Submit #756059: AliasVault v0.25.3 Insecure Storage of Sensitive Informationinfo

TitleAliasVault v0.25.3 Insecure Storage of Sensitive Information
DescriptionAliasVault versions 0.25.3 for iOS stored sensitive authentication and cryptographic data in plaintext in its shared container and UserDefaults plist files. The application did not exclude these files from iCloud or device backups. Sensitive values included access tokens, refresh tokens, key derivation parameters, and authentication metadata. An attacker with access to a device backup or during device transfer could steal these sensitive values and compromise user accounts and active sessions. The vulnerability was fixed in version 0.26.0 by marking the shared container and relevant UserDefaults files as excluded from backups (isExcludedFromBackup=true). Affected Files: • <app_sandbox>/Library/GroupContainers/<group_identifier>/UserDefaults/<plist_name>.plist • <app_sandbox>/Library/Preferences/net.aliasvault.app.plist Fixed In: 0.26.0 References: • Pull Request: https://github.com/aliasvault/aliasvault/pull/1499 • Pull Request: https://github.com/aliasvault/aliasvault/pull/1499/changes/b6bf747f775cf527014540989f7bd0b9f0091720 • Commits: https://github.com/aliasvault/aliasvault/commit/0bd662320174d8265dfe3b05a04bc13efc960532
Source⚠️ https://github.com/aliasvault/aliasvault/issues/1497#event-22294539220
User
 nmaochea (UID 95128)
Submission02/11/2026 06:10 (3 months ago)
Moderation02/22/2026 15:47 (11 days later)
StatusDuplicate
VulDB entry347340 [AliasVault App up to 0.25.3 on Android/iOS Backup aliasvault.xml backup]
Points0

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!