UI Security Bug


Cyber Axe

New member
Oct 7, 2020
3
0
Just found this, when entering the password if you click the icon to unmask the password then submit the password stays visible while it's processing which is a risk even if minor.
 

ahauser

Well-known member
Feb 22, 2019
222
57
@Cyber Axe, I've just tried reproducing the issue but wasn't able to trigger what you've described.

Could you please provide more detailled instructions and also let us know what device/android version/app version you are using?
 

PHolder

Well-known member
May 19, 2018
1,207
202
@ahauser do you have specific code in the client for this? Perhaps it would be wise to pre-emptively copy the password out of the field, and then blank the field, when the user hits the "okay" button?
 

ahauser

Well-known member
Feb 22, 2019
222
57
@ahauser do you have specific code in the client for this?
@PHolder no, this is standard Android behaviour when using the android.support.design.widget.TextInputEditText widget in conjunction with android:inputType="textPassword".

We could of course hide the password programmatically when clicking on "Login", but I would like to understand the issue better before rushing to a solution, since I don't see the described behaviour on my end.

So it would be great if @Cyber Axe could provide some more information. Thank you!
 

Cyber Axe

New member
Oct 7, 2020
3
0
Sorry for the delay.

App version 1.7.0

Phone: Android Galaxy A71
One UI version: 2.1
Android version: 10

I cannot seem to replicate this error .

I believe these were the steps, which I've tried to no success
Step 1: Goto the three dots in the top right
Step 2: Click COG icon
Step 3: Click Settings
Step 4: Check the two Request options at the bottom.
Step 5: Click Save
Step 6: On password prompt click eye icon, to show password then enter password and click ok, the box with the password stays visible on screen with password on display.

I tried creating a new Identity and setting the same options i did with my core id by checking the two request options at the bottom as that's when it happened to me, it brought up the encrypting and decrypting dialogs but password box was still visible in background.

But I've not been able to get it to do it again.
 

ahauser

Well-known member
Feb 22, 2019
222
57

ahauser

Well-known member
Feb 22, 2019
222
57
  • Like
Reactions: Sithmagic