CVE-2024-45833
📋 TL;DR
Mattermost mobile apps version 2.18.0 and earlier fail to disable autocomplete during password entry when visible password mode is selected. This allows passwords containing special characters to be saved in SwiftKey keyboard dictionaries, potentially exposing credentials. Users of Mattermost mobile apps with SwiftKey as their default keyboard are affected.
💻 Affected Systems
- Mattermost Mobile App (iOS)
- Mattermost Mobile App (Android)
📦 What is this software?
Mattermost Mobile by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
User passwords containing special characters are stored in SwiftKey's dictionary, allowing anyone with physical access to the device to potentially retrieve saved credentials and gain unauthorized access to Mattermost accounts.
Likely Case
Passwords with special characters get saved in SwiftKey's autocomplete dictionary, potentially exposing them to other apps or users who access the keyboard's dictionary data.
If Mitigated
If users keep password masking enabled or use keyboards without dictionary saving features, the vulnerability has minimal impact.
🎯 Exploit Status
Exploitation requires physical access to device or ability to extract keyboard dictionary data. User must have disabled password masking and used a password with special characters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.0
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Update Mattermost mobile app to version 2.19.0 or later from official app stores. 2. Restart the app after update. 3. Consider changing passwords that may have been exposed.
🔧 Temporary Workarounds
Enable Password Masking
allKeep password masking (obscuring dots) enabled during login to prevent password saving in keyboard dictionaries.
Change Default Keyboard
allSwitch from SwiftKey to another keyboard that doesn't save passwords in dictionaries.
🧯 If You Can't Patch
- Change passwords that contain special characters and may have been exposed while using SwiftKey with password masking disabled.
- Enable password masking in Mattermost app settings and avoid using visible password mode during login.
🔍 How to Verify
Check if Vulnerable:
Check Mattermost mobile app version in app settings. If version is 2.18.0 or earlier, the app is vulnerable.Check Version:
Check app version in Mattermost mobile app settings under 'About' or similar section.Verify Fix Applied:
Verify app version is 2.19.0 or later in app settings. Test login with visible password mode and SwiftKey to confirm autocomplete is disabled.📡 Detection & Monitoring
Log Indicators:
- No specific server-side log indicators as this is a client-side vulnerability.
Network Indicators:
- No network-based detection possible for this client-side issue.
SIEM Query:
Not applicable - client-side vulnerability