CVE-2024-24272
Description
An issue in iTop DualSafe Password Manager & Digital Vault before 1.4.24 allows a local attacker to obtain sensitive information via leaked credentials as plaintext in a log file that can be accessed by the local user without knowledge of the master secret.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
iTop DualSafe Password Manager before 1.4.24 leaks plaintext credentials in a browser extension log file accessible to any local user without the master secret.
Vulnerability
The DualSafe Password Manager browser extension by iTop versions prior to 1.4.24 logs credentials in plaintext to a LevelDB log file stored in the browser's extension data directory [1]. In the vulnerable version 1.4.21, after storing and using credential pairs via the extension icon, entries in the log file contain the plaintext password within JSON structures for login credentials [1]. The log file is located at a path such as C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgbjhdkjmpgjgcbcdlhkokkckpjmedgc\000003.log [1]. The logging behavior does not require any special configuration; it occurs during normal usage of the password manager [1].
Exploitation
An attacker with local access to the user's machine (as any local user or process) can read the log file without needing the master secret that normally protects the vault [1]. The attacker does not need prior authentication to the password manager [1]. By navigating to the browser extension's data directory, the attacker can open the .log file and search for entries containing the string "pwd":"" to extract plaintext credentials [1]. The vulnerability is exploitable after a victim has stored or used only a few credential pairs, as the credentials appear in the log file after just a few login attempts [1].
Impact
Successful exploitation allows a local attacker to read all credentials that were inadvertently logged as plaintext [1]. This leads to a complete loss of confidentiality for stored passwords, usernames, and associated URLs [1]. Since the attacker obtains the actual plaintext passwords, they can directly use them to access the corresponding online accounts or services without needing to decrypt the vault [1]. The attacker gains no higher privilege on the local system itself, but the leaked credentials can enable further remote compromise of the victim's online identities [1].
Mitigation
Users should update the DualSafe Password Manager extension to version 1.4.24 or later, which contains the fix for this issue [1]. The vendor (iTop) responded quickly and implemented the fix after the report [1]. There is no known workaround for affected versions [1]. It is also recommended that users replace any credentials that may have been exposed in the log files before upgrading [1]. This CVE is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- iTop/DualSafe Password Manager & Digital Vaultdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.