seeing username, password and TOTP in plain text after logging into Guacamole

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

seeing username, password and TOTP in plain text after logging into Guacamole

Madhukar Bhosale

 

 

Hi,

 

I am seeing username, password and TOTP in plain text after logging into Guacamole as well as token URL.

 

 

 

Regards

Madhukar



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: seeing username, password and TOTP in plain text after logging into Guacamole

vnick


On Thu, May 21, 2020 at 06:06 Madhukar Bhosale <[hidden email]> wrote:

 

 

Hi,

 

I am seeing username, password and TOTP in plain text after logging into Guacamole as well as token URL.

 

 

Yes, this is normal and not a cause for concern.  You’d see the same for any other web site that you log into with a username and password, because you are looking at the browser’s debug tools.  This does not mean that it is being transmitted in plain text - from the screenshot I can see that you are using HTTPS, so the data is going to the server encrypted.  However, because you are viewing the browser debug tools you are seeing it prior to encryption.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: seeing username, password and TOTP in plain text after logging into Guacamole

Madhukar Bhosale
But, is there any way to hide it ?

Regards
Madhukar

On Thu, May 21, 2020, 4:22 PM Nick Couchman <[hidden email]> wrote:


On Thu, May 21, 2020 at 06:06 Madhukar Bhosale <[hidden email]> wrote:

 

 

Hi,

 

I am seeing username, password and TOTP in plain text after logging into Guacamole as well as token URL.

 

 

Yes, this is normal and not a cause for concern.  You’d see the same for any other web site that you log into with a username and password, because you are looking at the browser’s debug tools.  This does not mean that it is being transmitted in plain text - from the screenshot I can see that you are using HTTPS, so the data is going to the server encrypted.  However, because you are viewing the browser debug tools you are seeing it prior to encryption.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: seeing username, password and TOTP in plain text after logging into Guacamole

vnick
On Mon, May 25, 2020 at 1:22 PM Madhukar Bhosale <[hidden email]> wrote:
But, is there any way to hide it ?


No, there is not.  Why do you care about hiding it?  It isn't being exposed to anyone except the person operating the browser, and then only if they have the Developer Console opened.

-Nick 
Reply | Threaded
Open this post in threaded view
|

Re: seeing username, password and TOTP in plain text after logging into Guacamole

Saxa Egea
I'm not an expert nor developer... but if you use a DB as users repository (PGSQL) there is no password in the cookie.



De: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Enviats: Dilluns, 25 Maig de 2020 19:36:30
Assumpte: Re: seeing username, password and TOTP in plain text after logging into Guacamole

On Mon, May 25, 2020 at 1:22 PM Madhukar Bhosale <[hidden email]> wrote:
But, is there any way to hide it ?


No, there is not.  Why do you care about hiding it?  It isn't being exposed to anyone except the person operating the browser, and then only if they have the Developer Console opened.

-Nick 


Reply | Threaded
Open this post in threaded view
|

Re: seeing username, password and TOTP in plain text after logging into Guacamole

vnick
Actually, it is still there in that case.  You're looking at the response that is returned from the server, and not the data sent to the server.

The point is still that this is 1) completely normal, and 2) not a security risk, unless users are in the habit of keeping the developer console open while they browser around web pages with sensitive data like credentials.

image.png

-Nick

On Wed, May 27, 2020 at 5:16 AM Saxa Egea <[hidden email]> wrote:
I'm not an expert nor developer... but if you use a DB as users repository (PGSQL) there is no password in the cookie.



De: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Enviats: Dilluns, 25 Maig de 2020 19:36:30
Assumpte: Re: seeing username, password and TOTP in plain text after logging into Guacamole

On Mon, May 25, 2020 at 1:22 PM Madhukar Bhosale <[hidden email]> wrote:
But, is there any way to hide it ?


No, there is not.  Why do you care about hiding it?  It isn't being exposed to anyone except the person operating the browser, and then only if they have the Developer Console opened.

-Nick