Project

General

Profile

Actions

Defect #41133

closed

Lack of encryption of password on the client side (?)

Added by Robert Swansons 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

Hello.

First of all, pardon if the question is dumb, or I am being paranoid (I am kind of tech-naive) but I'll ask nonetheless.
Today, upon inspecting the page (F12 in Chrome) when going to the Network tab -> login -> Payload I am able to see my password in plaintext!

It goes like this:
utf8: check
authenticity_token: cAWSFJiQOWAJERIOQWJRIOJQWOIRJIOQWR
back_url: /
username: arthraspwner1337
password: MY_LITERAL_PASSWORD
login: Login

Now, is there any option (via plugin, settings on website or modyfying some ruby config files) to HIDE the password in this tab?
Or is HTTPS sufficient here, or is this the 'industry standard'?

Thanks in advance!

Actions #1

Updated by Go MAEDA 4 months ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

Regarding the issue you’ve pointed out, the transmission of the entered login ID and password in plain text during form-based login is a common behavior in web applications. This is not a defect.

To prevent the password from being transmitted in plain text over the network, it is strongly recommended to use HTTPS.

Actions

Also available in: Atom PDF