Security Vulnerabilities in the OptiGuide Screen Reader

OptiGuide claims to be "the first screen reader to provide access to Safe Mode". That may be true, but it’s also a security risk.
In brief, they allow open access to their website, as well as install a root certificate that includes the private key that attackers can use to make a website look trusted.
For details, see below. Uninstalling the latest version of OptiGuide appears to remove its certificate, but when I installed an older one (I tested with 1.0.55) and uninstalled it, the
certificate was not removed. You can check in Certificates/Trusted Root Certification Authorities. Search for ACCESSIBLESOFT and remove it.

After installation of OptiGuide 1.0.57, I noticed it installed a self-signed certificate into my root certificate store. Looking at the certificate properties for the ACCESSIBLESOFT\Operator certificate, this line stood out:

You have a private key that corresponds to this certificate.

I’m not sure what this is used for or why it is needed.

I wasn’t able to export it via the gui, so I looked at what imported it. The certificate is contained in OptiGuide_TemporaryKey.pfx in the program’s folder.

The first problem I had to solve was the import password that pfx files have. Running strings on InstallCert.exe finds it quite easily. Once this was found, I used openssl to convert it to a .pem and examine the keys:

$openssl pkcs12 -in OptiGuide_TemporaryKey.pfx -out test.pem -nodes
Enter Import Password:
MAC verified OK
$grep BEGIN test.pem
-----BEGIN PRIVATE KEY-----
-----BEGIN CERTIFICATE-----

This certificate is valid until October 20, 2013. Because it contains the private key and can be used for client authentication, I can quite easily set up a server that will use this.
Once done, Internet explorer will consider this as valid. Firefox uses its own certificate store, which doesn’t have this certificate.

Moving on, I lookd at the network activity when running OptiGuide.
I saw an ftp connection to utechaccess.com, where it proceeded to get Optiguide/Customers.txt.
Looking further, the ftp leads to the webroot of the main OptiGuide website, which possibly could allow the replacement of the OptiGuide setup executable. Because of this, I cannot be sure that the setup file hasn’t been tampered with.

I reported this on October 18, and new versions have been released since then with these same vulnerabilities. I feel it necessary to warn the community about this program,
and hope that these problems can be fixed for the future. Once they are, I will update this post.

Advertisements

One Response to “Security Vulnerabilities in the OptiGuide Screen Reader”

  1. shane Says:

    Perhaps you should ask the person that created the software. I am that person. There isn’t a security risk at all. The private key has nothing to do with website spoofing. You need to learn more about this before posting an implicative blog that makes the software look malicious. I have put a lot of work into the software since then, and I have not received any money. I am the most honest person I know, and I will be willing to explain anything you need to know about the process. For example the private key is something that is needed for UIA access. This is called User Interface Automation, or UIA for short. This relies on the security principles of windows operating systems. It poses no risk, unless you don’t trust the source generally for another reason. If you are a suspicious person against any screen reader then your opinion is invalid. Programmers need to do things as a matter of appropriate course. The private key is needed for UIA access. You can find the project updates on my youtube channel. Go to youtube and search for primedivine channel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: