Paket: Authentication configurations expose passwords

Created on 27 Oct 2016  路  4Comments  路  Source: fsprojects/Paket

Description

Exceptions and their stdout might print passwords in plaintext

Repro steps

I have no repro steps, the print occured on one of our managers computer and leaked his password to me.

Expected behavior

do not print plaintext password in exception texts

Known workarounds

I suspect the complete plaintext authentication sheme is not really secure. Still, having plaintext passwords printed to screen renders paket really untrustworthy ;)

I'd suggest simply to put StructuredFormatDisplay to authenication configs.

bug credentials security up-for-grabs

All 4 comments

i think this might be the right location https://github.com/fsprojects/Paket/pull/1985

We seem to run into this from time to time, see also #1224, #1357. Maybe it's time to consider switching to SecureString to prevent this from happening in the first place?

+1

(kind of fitting that this issue has id 1984...)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

purkhusid picture purkhusid  路  8Comments

renangms picture renangms  路  5Comments

matthid picture matthid  路  6Comments

ModernRonin picture ModernRonin  路  7Comments

0x53A picture 0x53A  路  8Comments