Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Readable password in settings #349

Open
sk-juroot opened this issue Jan 5, 2022 · 1 comment
Open

Readable password in settings #349

sk-juroot opened this issue Jan 5, 2022 · 1 comment
Labels
Bug Something isn't working

Comments

@sk-juroot
Copy link
Contributor

Describe your problem!

User password is revealed as plaintext to anyone who opens WhereYouGo application settings.

How to reproduce?

  1. Run WhereYouGo
  2. Open Settings > Login credentials
  3. Click on Password

Actual result after these steps?

Plaintext password shown

Expected result after these steps?

Password field showing only masking characters ( • or * )

Reproducible

Yes

WhereYouGo Version

2022.01.02

System information

No response

Additional Information

Passwords sould not be readable as plaintext anywhere in the GUI (as a basic security measure), when Check login data functionality works, there is no need to have user password visible. This may be security issue for WYG players with extended access to another Groundspeak services.
@sk-juroot sk-juroot added Bug Something isn't working Unverified Issue not yet confirmed/reproduced or feature requests not yet checked for plausibility labels Jan 5, 2022
sk-juroot added a commit to sk-juroot/WhereYouGo that referenced this issue Jan 5, 2022
@sk-juroot
hotfix for (cgeo#349) password visible in settings
42451b8 
used AndroidX settings framework ignores `whereyougo_preferences_credentials.xml` value for hiding text as password, InputType is defined on password EditText binding

commit also fixes check for empty username and password on checklogin functionality (previously left as TODO), missing username or password should disable Check login data functionality

fixes cgeo#349
@Lineflyer
Copy link
Member

Confirmed

@Lineflyer Lineflyer removed the Unverified Issue not yet confirmed/reproduced or feature requests not yet checked for plausibility label Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lineflyer @sk-juroot