Username and password appear on console after POST

Asked

Viewed 722 times

2

The code below makes a POST of the data entered by the user in the login.

$http.post('api/v1/login', object).then(function (results) {
    return results.data;
});

Note that I pass as a parameter an object containing the data entered in the login:

//exemplo de um objecto após preencher os campos senha/login
{"customer":{"email":"[email protected]","password":"123456"}}

The problem is that when debugging the Firefox console, I can see the email and password entered, see: inserir a descrição da imagem aqui

This does not raise security problems?

As the application is done with Angularjs, the refresh of the page does not exist, if leave the console open, who use the application on that computer will have the exposed data if just "logout" and keep the browser open.

  • 1

    I was researching something relative and in fact, the only security is the transmission (encryption) physically the user has to have access to all his data. If it leaves the computer unprotected is physical security failure, not software

  • @Caputo the only way to solve this is to force a refresh after the login, at least already cleaned the console, but I think it would lose a little logic, since one of the premises of Angularjs is to avoid refreshing the page.

  • It is that in fact the vision is that this information becoming "visible" is not a security flaw (according to some concepts that I had researched some time ago)

  • 3

    Since they are using JS, the ideal would be to send a password hash with a salt preference given by the server, not the password itself. (1) the server provides the salt on the page (2) the user fills in the data and click send (3) the page does a password hash with salt and returns in JSON (4) the server compares the return, "salting" the password stored with the same sent salt, and sees if they hit. This is not a complete solution, but it improves the situation a little.

  • @Filipemoraes Refresh after login, really is an inconvenience, but I think it is essential to make a refresh after the logout: not only to clean up the console, but to clean up any potentially sensitive data still present in the browser’s memory. As to avoid the password appearing on the console, maybe a protocol like SRP help protect the original password even if someone has access to the browser while the user is still logged in (that session is already compromised, of course, but future sessions, not necessarily...).

1 answer

2

When you post, these variables are not only visible on the console. The request the browser makes goes through dozens of machines until it reaches the server. All machines can read the request.

If you log into that system from a network, the network administrator can view the full content of the post through the access logs. And you can see their access in real time, with tools like Fiddler2 or the Wireshark.

Ideally you force the user to only access the login page with the protocol https, like what websites like Gmail do. When you use https, the post data is encrypted and cannot be easily read by third parties along the path between the browser and the server. It is not 100% safe, but for most cases it is 99,999% safe.

With https it will still be possible to see the credentials on the browser console. But as Caputo said, if the user leaves the computer unprotected, the security flaw is the user and not the system.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.