Soroush IM Desktop App 0.17.0 Authentication Bypass via Database Injection

Vulnerability

Soroush IM Desktop App version 0.17.0 BETA uses a constant encryption key for all database files, causing identical encrypted output across every installation [1][2]. An attacker with local access can inject pre-encrypted database records—specifically a NO_PASSCODE entry—into the application's database files. The affected database and log files reside in the same folder, and the application pushes log file entries into the permanent database, making the injection effective [1].

Exploitation

To exploit the vulnerability, an attacker must have local access to the victim's machine (e.g., via a malicious co-user, insider threat, or compromised account) [1][2]. The attacker prepares a pre-encrypted database entry that represents a state with no passcode set. By copying that entry into the application's database log files, the log is processed and merged into the permanent database. Once the database is overwritten, restarting the Soroush client removes the original passcode, unlocking the application without authentication [1].

Impact

Successful exploitation bypasses the client's authentication mechanism entirely. The attacker gains full access to all stored data, including chats, images, and files. Furthermore, the attacker can send and receive messages on behalf of the legitimate user, and may also perform a denial-of-service by setting a new passcode, locking out the original user [1][2].

Mitigation

As of the available references, no official patch has been published for Soroush IM Desktop App 0.17.0 BETA. The vendor has not released a fixed version or acknowledged a timeline for remediation [1][2]. Users should consider ceasing use of the application or restricting local access to affected machines until a security update is provided.