Australian software developer Click Studios on Saturday urged Passwordstate customers to reset all of their passwords if they downloaded a poisoned update using the software’s In-Place Upgrade functionality.
The functionality, the company says, served a poisoned update after a threat actor managed to compromise the upgrade director on the clickstudios.com.au website. The breach was closed after roughly 28 hours.
“Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested,” Click Studios says.
Affected customers of the enterprise password manager might have downloaded a malformed update package that contained a modified moserware.secretsplitter.dll file designed to fetch additional content from a remote location and to start a malicious process.
That process harvests and exfiltrates a variety of system information, including computer name, usernames, current process name and ID, domain name, running processes and services, display name and status, proxy server address for Passwordstate, and the password manager’s username and password.
The malicious process gathers a great deal of data from Passwordstate, including URLs, usernames, passwords, notes, and other information stored in the application.
Customers are advised to check the moserware.secretsplitter.dll file and, if it’s size is 65kb, to contact the Click Studios support team to receive a hotfix file and additional details on the cleanup operation.
Affected customers are also advised to reset all of the passwords stored in Passwordstate, as they might have been exfiltrated by the attackers.
Click Studios says that the number of affected users appears to be low and that it has contacted active customers to inform them of the incident.