Friday, April 3, 2009

Mint: Serious Security Flaw?

I was thinking of joining the hordes using Mint, a web-based application ("we download, categorize and graph all of your finances automatically every day, so you know where you’re spending, without spending any effort") to handle their personal finance. But I found this interesting bit of criticism in the comments for Mint's iPhone app (referring not specifically to the iPhone app, but to Mint as a whole):

"Mint states that they don't store your bank password. That is right. They instead give your password to yodley. And what yodley does is encrypt your password with an encryption key and store the encrypted password as well as the key in their database. It is important to note that the key has to be stored somewhere on the system since it will be needed to periodically decrypt your bank password in order to pull fresh data from your bank. Unfortunately, What this means is that a database administrator or anyone with suitable access can first read the key and then use that to decrypt your bank password. You know the rest of the story... Thank you mint... I initially thought that you were using federated identity management to avoid storing my bank passwords in any system. But I was wrong. I am closing my mint account."


I have no idea if it's true, but after spending a decade vetting Internet postings to pick out disgruntled parties, kooks, vandals, and smearers, I'm pretty good at it, and this guy rings true. But while Mint is insanely popular, web searching has turned up no other parties making this claim. And that's really curious.

No comments:

Blog Archive