[Django] #28225: Credentials of the Admin login form are stored browser due autocomplete was enabled by default.

[Django]

#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.
-----------------------------------------+------------------------
Reporter: xkill | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.admin | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
The credentials are stored on browser cache.

It is a security issue or vulnerability

CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)

A variable on the configuration of the django application can be set to
enable or disable autocompletion on the login form of the admin interface.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.

--------------------------------+--------------------------------------
Reporter: Pablo Catalina | Owner: nobody
Type: Uncategorized | Status: closed
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------+--------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => invalid

Comment:

I don't believe that browsers storing login credentials is a security
issue. By the way, security issues should be
[https://docs.djangoproject.com/en/dev/internals/security/#reporting-
security-issues reported to the security team] rather than in this ticket
tracker.

--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:1>

[Django]

#28225: Credentials of the Admin login form are stored browser due autocomplete was
enabled by default.

--------------------------------+--------------------------------------
Reporter: Pablo Catalina | Owner: nobody
Type: Uncategorized | Status: closed
Component: contrib.admin | Version: 1.11
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

--------------------------------+--------------------------------------

Comment (by Tim Graham):

In fact this issue has been reported several times to the security team.
Here's the team's response:

We intentionally leave autocomplete enabled as we believe that all modern
browsers now handle local form completion in a reasonably sane manner.
Autocomplete enables individuals to use stronger passwords and makes them
less susceptible to phishing attacks. These benefits greatly outweigh the
minor risk here. If you disagree, we encourage you to also read this post:
http://blog.0xbadc0de.be/archives/124

--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:2>