WebDAV password sent in plain text?
I have noticed that in the browser console in Firefox, Zotero "transmits" the password of the WebDAV client (CloudME in my case) in plain text.
Every time Zotero communicates with CloudME one such link is visible in the browser console without masking or encrypting the password:
https://username:password@webdav.cloudme.com/username/etc.
Isn't that a considerable security concern?
(I tried to be clear in my explanation but obviously I don't know the proper terms and technical jargon.)
Every time Zotero communicates with CloudME one such link is visible in the browser console without masking or encrypting the password:
https://username:password@webdav.cloudme.com/username/etc.
Isn't that a considerable security concern?
(I tried to be clear in my explanation but obviously I don't know the proper terms and technical jargon.)
Could you be more specific about where the password is being displayed? What's the full message that is being displayed? (a screenshot may be helpful if you're confident in your ability to properly obfuscate the password)
It appears in the Browser Console of Firefox (Tools -> Web Developer -> Browser Console), with an XHR tag(?).
To be clear, I didn't enable XHR (whatever it means) myself, it is the out-of-the-box Firefox configuration. I opened the Web Console because I wanted to see an unrelated error message and I noticed the password when I was adding some papers to Zotero.
If it is of some help, I can send some step by step screen shots but not before tomorrow, to make sure I use a temporary password and obfuscate it properly.
I appreciate the answers and the work. Thanks!