From:
To: ██████████
Product: Arq Backup
Date: July 15th, 2022
Date of public disclosure: September 7th, 2022
Attachments:
arqbackup.zip
Hi Stefan,
First off, let me just say that I really like Arq Backup. I've been using it on my laptop for over a year now, and it fills its niche perfectly.
The vulnerability I discovered is that backup encryption passwords are stored locally in a reversibly encrypted way, which would allow malware running locally with administrative privileges to steal the user's password(s). I've included a proof of concept demo script of this in the attached zip file (password is "█████████").
Thankfully, this is pretty easy to fix. As Arq already derives the backup encryption key from the user's password with a slow key derivation function, it does not have to store the user's password—only the derived encryption key.
Note that is is not a problem to store other types of secrets (e.g. OAuth refresh tokens, etc.) in a reversibly encrypted way as they are not reused. In contrast, users will reuse passwords elsewhere, so compromise by an attacker grants access beyond that legitimately needed for Arq's normal operation.
I will be following the industry standard of responsible disclosure with this vulnerability, as elucidated in Google's policy. Your deadline is (July 14 + 90 days = ) October 12th, 2022.
Please notify me when you have successfully reproduced the vulnerability using my proof of concept, or if you have trouble doing so. Additionally, feel free to email me about any other matter in connection with my report; I'm here to help.
Thank you for your time.
Kind regards,
Sam Haskins