CVE-2020-27747

Vulnerability

Click Studios Passwordstate 8.9 (Build 8973) exposes a mobile login endpoint that accepts a four‑digit PIN generated by the built‑in PIN generator. The server does not implement any restriction on the number of failed authentication attempts against this PIN. This allows an attacker who knows the target username to repeatedly guess PIN values without lockout or delay, as per CWE‑307 [2].

Exploitation

The attacker must know a valid username for which the victim has enabled PIN‑based mobile login. No additional privileges or local access are required. The attacker sends successive login requests to the mobile login page, each with a different 4‑digit PIN guess, until a correct PIN is found. With only 10 000 possible combinations, a brute‑force program can exhaust the namespace in minutes [2].

Impact

Successful brute‑force of the PIN grants the attacker access to all passwords and secrets that the victim account is authorized to view in Passwordstate. The impact is total disclosure of credentials stored under that account, leading to full compromise of any systems relying on those passwords [1][2].

Mitigation

No fixed version of Passwordstate 8.9 (Build 8973) exists; the vendor was notified but no patch was released before publication [2]. Organizations still running this build should disable mobile PIN login, restrict network access to the Passwordstate web interface, and monitor for repeated failed login attempts as a temporary workaround. Upgrading to a later build (if available) may also address the issue, though no official fix is confirmed in the referenced materials [1][2].