OptiGuide claims to be "the first screen reader to provide access to Safe Mode". That may be true, but it’s also a security risk.
In brief, they allow open access to their website, as well as install a root certificate that includes the private key that attackers can use to make a website look trusted.
For details, see below. Uninstalling the latest version of OptiGuide appears to remove its certificate, but when I installed an older one (I tested with 1.0.55) and uninstalled it, the
certificate was not removed. You can check in Certificates/Trusted Root Certification Authorities. Search for ACCESSIBLESOFT and remove it.
After installation of OptiGuide 1.0.57, I noticed it installed a self-signed certificate into my root certificate store. Looking at the certificate properties for the ACCESSIBLESOFT\Operator certificate, this line stood out:
You have a private key that corresponds to this certificate.
I’m not sure what this is used for or why it is needed.
I wasn’t able to export it via the gui, so I looked at what imported it. The certificate is contained in OptiGuide_TemporaryKey.pfx in the program’s folder.
The first problem I had to solve was the import password that pfx files have. Running strings on InstallCert.exe finds it quite easily. Once this was found, I used openssl to convert it to a .pem and examine the keys:
$openssl pkcs12 -in OptiGuide_TemporaryKey.pfx -out test.pem -nodes Enter Import Password: MAC verified OK $grep BEGIN test.pem -----BEGIN PRIVATE KEY----- -----BEGIN CERTIFICATE-----
This certificate is valid until October 20, 2013. Because it contains the private key and can be used for client authentication, I can quite easily set up a server that will use this.
Once done, Internet explorer will consider this as valid. Firefox uses its own certificate store, which doesn’t have this certificate.
Moving on, I lookd at the network activity when running OptiGuide.
I saw an ftp connection to utechaccess.com, where it proceeded to get Optiguide/Customers.txt.
Looking further, the ftp leads to the webroot of the main OptiGuide website, which possibly could allow the replacement of the OptiGuide setup executable. Because of this, I cannot be sure that the setup file hasn’t been tampered with.
I reported this on October 18, and new versions have been released since then with these same vulnerabilities. I feel it necessary to warn the community about this program,
and hope that these problems can be fixed for the future. Once they are, I will update this post.