MyBusyBee TextBlast Security Flawed
January 23, 2011
Posted by on
This week, I did install this software from their website as they provide a downloadable package with varying types (Basic to Enterprise) and with varying prices. So, I installed the Enterprise version of the product and see how the software works.
And upon launching, I determined that they’re using an “offline” activation which means all the activation logic resides on the program. And here’s what I discovered:
- Serial number field is based on machine’s hard disk which is why the activation key will only work on the specified/given serial number.
- Activation key is just based on partial data of the serial number, the license type (Date duration or Unlimited) and the date of activation.
- After decryption of the activation key, it just simply validates if the given string is equal to “UnLimited” or a given string date. If the given string is “UnLimited”, end of story, no further validation will be checked and your copy of this software is yours perpetually without having to renew your activatin key each month which is exactly what you’re paying for based on your package type (Enterprise cost is Php 5000.00).
- Embedding password for your MS Access database is not security at all.
- Encryption and decryption both happening within the program and this is not a good practice of security unless the process of decrypting is not a simple one (sort of having a looping algorithm that will actually translates to the actual string).
And with these discoveries, it just a matter of minutes and my downloaded version of the product is now licensed for a lifetime.
I hope developer/s of this software should carefully examine how best to protect their software so that their customers will always feel that the money they are paying for is worth to the product they are using.