This project is read-only.

WinKee Security

This page contains all security-related information concerning WinKee

Possible task manager-related side channel leak

There is a possible attack against WinKee that exploits the fact that WinPho 8.1's Task Manager (long press the Back button to bring it up) displays screenshots of the currently running apps.

The scenario of the attack is as follows:
  1. Launch WinKee and decrypt a password database
  2. Open a password entry
  3. Choose to display the password
  4. Press the Start button or use the task manager to switch to another app
  5. Open the task manager again - you will see your username and password displayed on the WinKee thumbnail

This only affects the currently displayed password entry and happens even if you use the application master password functionality.

There is currently no way for us to prevent this behavior. The only way to avoid leaking username and/or password in this way is to always return to the password list screen before switching apps. There will be a warning added to WinKee's password entry screen to inform the user about this necessity.

Last edited Jul 31, 2014 at 11:25 AM by mar3ek, version 1