I discovered a cryptographic flaw in the way RD Tabs encrypts and decrypts RDTSF (RD Tabs Secure Favorites) files. This flaw may allow an attacker to decrypt your RDTSF file without knowing your password. Additionally, files you have encrypted may not always decrypt, even if you use the correct password. A new version of RD Tabs 2.0  and RD Tabs 2.1  (currently in Beta) will be released later today. The RDTSF files created with this new version will not be backward compatible with older version of RD Tabs, nor will older RDTSF files be forward compatible in newer version of RD Tabs.

Although the attack has been proven in a test lab, no known cases of exploit have been reported. Details of how to attack the file format are being withheld.

RD Tabs 2.0.14 and newer 2.0.x versions and RD Tabs 2.1.8 and newer 2.1.x are not vulnerable to this attack because the cryptographic algorithm has been fixed. RD Tabs 1.x and older versions are not vulnerable to this attack because they do not support the RDTSF file format.

If you store passwords in the older RDTSF file format, delete those files and generate new ones with the patched RD Tabs being released later today. If you do not store passwords, information disclosure is still possible, but it is not severe. If you do not use the RDTSF format to import and export favorites, you have nothing to worry about.

Just wanted to point out that the versions with the offending code are no longer available for download.