Bug #4273
closedpromptPassword in letUpdatePassword
0%
Description
I came across a potential security issue related to the built-in AuthWidget. You can reproduce it with the blog example (or probably any other app using the AuthWidget):
- Login using username and password
- edit profile -> update password
You will see that the password is already filled in.
In the code, the parameter "promptPassword" for "letUpdatePassword" is set to 'true' and thus I would not only expect that I have to enter the password, but also that it is initially emtpy.
I think this could be a problem when you leave your machine unattended because someone can easily change your password. This is avoidable by resetting the password field right after login (sounds like a good idea anyways). Furthermore, wenn you login, change the password and change it again, the passoword-field will still contain the password you entered on login (which is invalid at this point, since you changed it).
Updated by Koen Deforche over 9 years ago
- Status changed from New to InProgress
- Assignee set to Koen Deforche
Updated by Koen Deforche over 9 years ago
- Status changed from InProgress to Resolved
- Target version set to 3.3.5
Hey,
That's indeed a correct observation!
Koen
Updated by Koen Deforche about 9 years ago
- Status changed from Resolved to Closed