Applications should stop using BinaryFormatter as soon as possible #15
Description
I wanted to edit the user config and I was shocked to find binary data instead of simple text for a settings file. When I dug further I found that the use of BinaryFormatter makes this application totally unsafe to use.
That's two clear reasons to stop using BinaryFormatter for settings. I would recommend using something that the user can edit, like JSON or XML. This will make maintaining settings much easier and more secure.
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.
An attacker who successfully leverages these vulnerabilities against an app can cause denial of service (DoS), information disclosure, or remote code execution inside the target app. This risk category consistently makes the OWASP Top 10. Targets include apps written in a variety of languages, including C/C++, Java, and C#.
In .NET, the biggest risk target is apps that use the BinaryFormatter type to deserialize data.
SOURCE: https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide