Razer investigating potential Synapse software security threat
A user on the official Razer Reddit forum has purportedly discovered a security flaw in Razer's Synapse application that could potentially allow third-party malware programs to pull and upload the user's Synapse login credentials. While most forum posts from unverified sources are not usually newsworthy, this particular post has detailed the exact steps on how to exploit the security flaw and has even received a short official response from Razer as a result.
The Razer Synapse software is pre-installed on all Razer notebooks from the Blade Stealth all the way up to the Blade Pro and a special login is required in order to access macros, keyboard lighting settings, gameplay recording, cloud gaming data, and other features unique to the Razer family of products. This is in stark contrast to similar software programs from MSI, Aorus, Alienware, and Clevo where all hardware-specific features are available offline without needing to sign up. While it may not sound like a critical issue to lose login credentials for some esoteric application, many users are in the habit of reusing the same usernames and passwords across a wide variety of unrelated programs.
There is not yet an ETA on when or if a future security patch will resolve the issue, but owners of Razer keyboards and laptops are highly encouraged to change their passwords until further notice.
Update: Razer has swiftly come out with a longer official response earlier this morning regarding the newly discovered exploit:
"Razer likes to thank Reddit user /u/johnduhart for sending us his feedback. Our team has looked into this and would like to assure our users that their security is of utmost importance to us and that our server side encryption remains fully ensured and secure. With our upcoming improvements to Razer Synapse we will be moving away from current methods of local client storage and encryption of credentials. Concerned users may choose to update their passwords as a safety measure. All users are encouraged to practice good internet security awareness and habits such as using different passwords for different services, as well as we are encouraging all our users to ensure that their PCs are password protected to ensure that unauthorized 3rd parties do not have access."
In other words, the manufacturer will be changing the way it stores and encrypts login information to circumvent the security hole entirely. There is still no word on when we can expect the fix to come, but it's good to know that the flaw is now on their radar and being worked on. In the meantime, changing your Synapse password would be best course of action.