漏洞关键信息 Title: AliasVault v0.25.3 Insecure Storage of Sensitive Information Description: - AliasVault 版本 0.25.3 在 iOS 中将敏感的认证和加密数据以明文形式存储在共享容器和 UserDefaults plist 文件中。该应用没有将这些文件从 iCloud 或设备备份中排除。敏感值包括访问令牌、刷新令牌、密钥派生参数和认证元数据。 - 攻击者可以通过访问设备备份或在设备传输过程中窃取这些敏感值并危及用户账户和活动会话。该漏洞在版本 0.26.0 中通过标记共享容器和相关 UserDefaults 文件以在备份(isExcludedFromBackup=true)中排除来修复。 Affected Files: - - Fixed In: 0.26.0 References: - Pull Request: https://github.com/aliasvault/aliasvault/pull/1499 - Pull Request: https://github.com/aliasvault/aliasvault/pull/1499/changes/b6bf747f775cf527014540989f7bd0b9f0091720 - Commits: https://github.com/aliasvault/aliasvault/commit/0bd662320174d8265dfe3b05a04bc13efc960532 Source: https://github.com/aliasvault/aliasvault/issues/1497#event-22294539220 User: nmaochea (UID 95128) Submission: 02/11/2026 06:10 AM (12 days ago) Moderation: 02/22/2026 03:47 PM (11 days later) Status: Duplicate VulDB entry: 347340 [AliasVault App up to 0.25.3 on Android/iOS Backup aliasvault.xml backup] Points: 0