Author Topic: auto-populate shows passwords in the clear  (Read 5565 times)

Offline billyjoejimbob

  • Normal Members
  • *
  • Posts: 1
auto-populate shows passwords in the clear
« on: March 08, 2007, 04:22:56 AM »
Clicking on 'add' or 'delete section' for a password field in the advanced auto-populate will allow this field to be shown in the clear, bypassing the rdf encryption for these fields.

Here's how to observe this problem.  Go to a page that has a password field and enter the password (of course, the field should now just have asterisks).  Set up an account in passwordmaker for this website and go to advanced auto-populate.  Click on the password field on the website and then click 'add' in passwordmaker.  Sometimes you will be able to see your password briefly flash in the clear in passwordmaker before it is obscured by asterisks - not a huge problem.  Now, go back to the website and click on the password field.  The password will now show up in passwordmaker in the clear - this could be a problem if you have nosy neighbors.  If you click off the password field and then back on, the passwordmaker will now correctly show only asterisks.  Now here's the real security problem - With the astrisks still in place on the website, click 'delete section' in passwordmaker and then click on the password field on the website.  Your password will show in the clear in passwordmaker.  You can then add the password back into passwordmaker by clicking the 'add' button.

An attacker can look at all of your passwords you set up using the advanced auto-populate feature if they have access to your computer or just your rdf file.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
auto-populate shows passwords in the clear
« Reply #1 on: March 10, 2007, 04:01:13 PM »
Quote
An attacker can look at all of your passwords you set up using the advanced auto-populate feature if they have access to your computer or just your rdf file.
The passwords are encrypted in the RDF file even if they display in plain text ( no asterisks) on the webpage.
« Last Edit: May 22, 2007, 03:49:26 PM by tanstaafl »

PasswordMaker Forums

auto-populate shows passwords in the clear
« Reply #1 on: March 10, 2007, 04:01:13 PM »