DataSafe password encryption ...not really
Hi team,
I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage.
I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value:
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"\n"; } } if (s) console.log("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();
I got the following result:
Passwords in forms on this page:
: hidden
q: text
:Go! submit
: hidden
id:0 select-one
:Go! submit
:kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden
:kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden
: submit
action:login hidden
As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code !
If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ?
PS: This is lab environment and I can share my config if needed. although this can easily be reproduced.
many thanks,
karim