Security Issue: User password in the birthday field

Erassus ︎ ︎ Posted in Technical Support 3 years ago

Hi Community,

Today i was surprised that i found a user in my production environment that have the password in the birthday field. I know we all are going to ask how is this posible? because i tried manually to do that behavior and i can't.

I noticed that user was registered with the form, so is not from Facebook login.

I'm suspicious that user probably in her browser have autofill the some plugin or something, because, how this happened?

Note: is only that user, others new users are fine.
Note 2: I have disabled the tab showing gender and birthday and other details from the beggining, so others users cant see that information in her profile, but still a security issue.

Replies
German Michael Zülsdorff Replied 3 years ago

I agree with Arsalan that autocomplete="off" would be the best solution for the registration form in general.
You may add a 'valid date' checker, yes, but this wouldn't prevent saving a password as first or last name by mistake :)

Indonesian Arsalan Shah Replied 3 years ago

The only solution I see is autocomplete="off"

cl Erassus ︎ ︎ Replied 3 years ago

I think the same, Arsalan, it's probably an pre-fill from the browser itself and the user didnt notice that, but the birthday field doesnt have verification if some text are not a date numbers or picked from the calendar? I have enabled the 18+ years component too.

Indonesian Arsalan Shah Replied 3 years ago

Just to ease you Hugo, OSSN no way knows the password in plain text :) So its user browser some how pre-filling the password in that field. Otherwise OSSN no way knows the password in plain text and don't know actual password. It only compares hashes.