#28225 closed Uncategorized (invalid)
Credentials of the Admin login form are stored browser due autocomplete was enabled by default.
| Reported by: | Pablo Catalina | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.admin | Version: | 1.11 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The credentials are stored on browser cache.
It is a security issue or vulnerability
CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
A variable on the configuration of the django application can be set to enable or disable autocompletion on the login form of the admin interface.
Change History (2)
comment:1 by , 7 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 7 years ago
In fact this issue has been reported several times to the security team. Here's the team's response:
We intentionally leave autocomplete enabled as we believe that all modern browsers now handle local form completion in a reasonably sane manner. Autocomplete enables individuals to use stronger passwords and makes them less susceptible to phishing attacks. These benefits greatly outweigh the minor risk here. If you disagree, we encourage you to also read this post: http://blog.0xbadc0de.be/archives/124
I don't believe that browsers storing login credentials is a security issue. By the way, security issues should be reported to the security team rather than in this ticket tracker.