I uninstalled FreeSCAN version 2.18 from my Windows 10 machine, and I noticed something interesting that I thought I should post here. I like to verify any remaining files/folders aren't still lingering after uninstalling a program so I did a quick search of the entire disk for "freescan" and nothing was found. I'm a bit of a deletionist, and I like to be a little more thorough, so I opened the registry editor, and did a search again for "freescan," looking for any remaining installation artifacts I could remove. Buried deep in HKEY_USERS, I found something interesting:
Right there - in plain text - is my radioreference.com username and password. If you use the RadioReference database import features and keep the "remember me" box checked, this is how your credentials are stored.
Uninstalling FreeScan, via the included uninstaller or the Windows control panel, DOES NOT remove the stored radioreference username and password from your computer. This information is accessible to any user who can open the registry editor. But more importantly, it is accessible to any executing program on your machine. I would consider this a somewhat concerning issue - storing passwords in plain text is never a good idea as a software developer. Microsoft does provide tools for Windows applications to securely handle data such as usernames and passwords - notably, the Data Protection API.
I have attempted to contact Sixpot Software to alert them to this vulnerability.
Right there - in plain text - is my radioreference.com username and password. If you use the RadioReference database import features and keep the "remember me" box checked, this is how your credentials are stored.
Uninstalling FreeScan, via the included uninstaller or the Windows control panel, DOES NOT remove the stored radioreference username and password from your computer. This information is accessible to any user who can open the registry editor. But more importantly, it is accessible to any executing program on your machine. I would consider this a somewhat concerning issue - storing passwords in plain text is never a good idea as a software developer. Microsoft does provide tools for Windows applications to securely handle data such as usernames and passwords - notably, the Data Protection API.
I have attempted to contact Sixpot Software to alert them to this vulnerability.
Last edited: