WebDAV password sent in plain text?

izeddin
I have noticed that in the browser console in Firefox, Zotero "transmits" the password of the WebDAV client (CloudME in my case) in plain text.

Every time Zotero communicates with CloudME one such link is visible in the browser console without masking or encrypting the password:
https://username:password@webdav.cloudme.com/username/etc.

Isn't that a considerable security concern?

(I tried to be clear in my explanation but obviously I don't know the proper terms and technical jargon.)
  • noksagt
    You are using an HTTPS URL, so all traffic (including the specific username:password and the directory/file (username/etc.) that you are requesting will be encrypted between your browser and CloudME.
  • aurimas
    edited July 3, 2015
    noksagt is correct that using HTTPS ensures that your password is not visible to anyone between your computer and CloudME (Assuming your computer is not compromised). Firefox/Zotero console would come before SSL encryption, so it's theoretically possible that your password is displayed somewhere internally and that's definitely something we want to avoid. As far as we're aware, Zotero makes sure to mask the password (to "********") whenever it is displayed for debugging purposes and I'm not able to reproduce what you're reporting.

    Could you be more specific about where the password is being displayed? What's the full message that is being displayed? (a screenshot may be helpful if you're confident in your ability to properly obfuscate the password)
  • dstillman
    edited July 3, 2015
    That's just the Browser Console with "Log" (and maybe "XHR") enabled in the Net menu. Nothing we can do about that.
  • aurimas
    Yeah, have to have XHR enabled
  • izeddin
    Yes, Dan and aurimas are correct.
    It appears in the Browser Console of Firefox (Tools -> Web Developer -> Browser Console), with an XHR tag(?).
    To be clear, I didn't enable XHR (whatever it means) myself, it is the out-of-the-box Firefox configuration. I opened the Web Console because I wanted to see an unrelated error message and I noticed the password when I was adding some papers to Zotero.

    If it is of some help, I can send some step by step screen shots but not before tomorrow, to make sure I use a temporary password and obfuscate it properly.
  • aurimas
    No, don't worry about the screenshots, what you describe is what we expect. As Dan says, there is nothing we can do about it. This would be a Firefox issue, if it is an issue at all.
  • izeddin
    OK, I take it as I should not worry then.
  • aurimas
    It is a bit concerning, I'll admit, because it makes it easier for someone who is physically using your computer to obtain that password. Obfuscating wouldn't have much effect on the ability of malware to do the same, since there are many other ways it could obtain a stored password. Furthermore, obfuscation wouldn't prevent the malicious user from obtaining the password anyway if he/she is smart (again, many ways to do it). So basically, you shouldn't share your computer with users you don't trust.
  • izeddin
    Thanks for the explanation. In any case I will use a password that it's unique for this specific application.
    I appreciate the answers and the work. Thanks!
Sign In or Register to comment.