UI Security Bug


Status
Not open for further replies.

Cyber Axe

New member
Oct 7, 2020
3
0
Just found this, when entering the password if you click the icon to unmask the password then submit the password stays visible while it's processing which is a risk even if minor.
 

ahauser

Member
Feb 22, 2019
15
3
@Cyber Axe, I've just tried reproducing the issue but wasn't able to trigger what you've described.

Could you please provide more detailled instructions and also let us know what device/android version/app version you are using?
 

PHolder

Well-known member
May 19, 2018
222
46
@ahauser do you have specific code in the client for this? Perhaps it would be wise to pre-emptively copy the password out of the field, and then blank the field, when the user hits the "okay" button?
 

ahauser

Member
Feb 22, 2019
15
3
@ahauser do you have specific code in the client for this?

@PHolder no, this is standard Android behaviour when using the android.support.design.widget.TextInputEditText widget in conjunction with android:inputType="textPassword".

We could of course hide the password programmatically when clicking on "Login", but I would like to understand the issue better before rushing to a solution, since I don't see the described behaviour on my end.

So it would be great if @Cyber Axe could provide some more information. Thank you!
 

Cyber Axe

New member
Oct 7, 2020
3
0
Sorry for the delay.

App version 1.7.0

Phone: Android Galaxy A71
One UI version: 2.1
Android version: 10

I cannot seem to replicate this error .

I believe these were the steps, which I've tried to no success
Step 1: Goto the three dots in the top right
Step 2: Click COG icon
Step 3: Click Settings
Step 4: Check the two Request options at the bottom.
Step 5: Click Save
Step 6: On password prompt click eye icon, to show password then enter password and click ok, the box with the password stays visible on screen with password on display.

I tried creating a new Identity and setting the same options i did with my core id by checking the two request options at the bottom as that's when it happened to me, it brought up the encrypting and decrypting dialogs but password box was still visible in background.

But I've not been able to get it to do it again.
 

ahauser

Member
Feb 22, 2019
15
3

ahauser

Member
Feb 22, 2019
15
3
These changes have now been merged into the main codebase and will be available in the upcoming 1.7.1 release.
Thanks again for the report, @Cyber Axe!
 
Status
Not open for further replies.