Author Topic: FreeSCAN password security issue  (Read 232 times)

Offline call_sign_null

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
FreeSCAN password security issue
« on: May 21, 2018, 12:16:22 PM »
I uninstalled FreeSCAN version 2.18 from my Windows 10 laptop today. The uninstall process was quick, and I like to verify any remaining files/folders aren't still lingering so I did a quick search of the entire disk for "freescan" and nothing was found. I'm also a bit of a deletionist and like to be a little more thorough, so I opened the registry editor and did a search again for "freescan" to look for any remaining installation artifacts I could remove. Buried deep in HKEY_USERS, I found something interesting:



Right there - in plain text - is my radioreference.com username and password. If you use the RadioReference database import features and keep the "remember me" box checked, this is how your credentials are stored.  Uninstalling FreeScan, via the included uninstaller or the Windows control panel, DOES NOT remove the stored radioreference username and password from your computer. This information is accessible to any user who can open the registry editor. But more importantly, it is accessible to any executing program on your machine. I would consider this a somewhat concerning issue - storing passwords in plain text is never a good idea as a software developer. Microsoft does provide tools for Windows applications to securely handle data such as usernames and passwords - notably, the Data Protection API.

To patch this issue on your computer, run these two commands form the command prompt - note that the exact path may differ on your local machine.  Open regedit and find "FreeSCAN" in HKEY_USERS or HKEY_CURRENT_USER:

REG DELETE "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\FreeSCAN\Settings" /v UserPW

REG DELETE "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\FreeSCAN\Settings" /v UserName




This will delete the username and password which is stored as plain text and easily visible. After clearing these registry values, FreeSCAN users should NOT check the "Remember me" box when using the RadioReference database import feature. I would also recommend changing your RadioReference password(s).

Originally posted in the RadioReference forums here:

https://forums.radioreference.com/scanner-programming-software/370702-freescan-security-issue.html
« Last Edit: May 21, 2018, 02:50:18 PM by call_sign_null »

Offline call_sign_null

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: FreeSCAN password security issue
« Reply #1 on: May 21, 2018, 02:23:01 PM »
It gets better (worse)!  I also noticed that the requests made by FreeSCAN to the RadioReference API are not using HTTPS:



Here again you can see my username and password. The RadioReference authentication request is being sent over an insecure HTTP connection, and this sensitive info is freely visible to anyone or anything that inspects my network traffic.

Offline FrankS

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
Re: FreeSCAN password security issue
« Reply #2 on: May 21, 2018, 02:41:43 PM »
Good Job! ~ call sign null ~ for finding all this & passing on this Important Info. !!  Oh No... >:( I just signed up last week. On the same topic I had a question I posted in the  Freescan forum a few days ago that was edited/messed with. The context was changed & a demeaning comment added...Hacked !!  Definitely has security issues.   I hope FreeScan fixes this ASAP !
« Last Edit: May 21, 2018, 05:46:22 PM by FrankS »