Dont show passwords in plaintext

48 views
Skip to first unread message

Walther Klust at Elego

unread,
Feb 18, 2020, 5:17:37 AM2/18/20
to TortoiseSVN
There is an undocumented feature in TSVN which allows you to show the passwords of cached credentials in plaintext.

  - go to Settings->Saved Data->Authentication data->Clear...
  - a dialog "Remove Saved Authentication Data" is shown with a list of your cached credentials with the columns "Kind" ,"Realm String", "Username"
  - select one of the rows and execute a "Ctrl-Shift-Doubleclick" action
  - this action will now add a fourth column named "Password/phrase". this column shows all caches passwords in plaintext.

See also:

https://stackoverflow.com/questions/5910965/recover-svn-password-from-local-cache#5919519

This is a potential security issue and I would suggest a change in TSVN which either 
  - completely removes this feature 
    or
  - deactivates this behavior by default while providing an option in advanced settings to turn it on again


Stefan

unread,
Feb 18, 2020, 10:32:40 AM2/18/20
to TortoiseSVN
that's not a security issue.

Stefan

unread,
Feb 19, 2020, 2:19:11 AM2/19/20
to TortoiseSVN
maybe a little more detailed:

* this really isn't a security issue because this only works with your own Windows account. And if you can't secure that, then you have a security issue but not because of TSVN.
* any tool can do it, so why remove it from TSVN?
* it's undocumented, so you won't see those accidentally. Using the "advanced settings" to turn this feature off as you suggested isn't better in that regard.
* have you checked your webbrowser lately? Every browser I know of lets you see all saved passwords somewhere in their settings pages.

Walther Klust at Elego

unread,
Feb 19, 2020, 7:48:10 AM2/19/20
to TortoiseSVN


Am Mittwoch, 19. Februar 2020 08:19:11 UTC+1 schrieb Stefan:
maybe a little more detailed:

* this really isn't a security issue because this only works with your own Windows account. And if you can't secure that, then you have a security issue but not because of TSVN.
This feature gives an attacker a very easy way to view your passwords in plaintext without the need to install any other tools. Only a few moments of access to the desktop is required. This is not an unrealistic scenario. 
 
* any tool can do it, so why remove it from TSVN?
Within a corporate environment the ability to install additional tools usually is restricted.
Why is this feature even in TSVN ? What purpose does it serve ? Should we not strive towards keeping the features of a software minimal for better maintainability and robustness ?

* it's undocumented, so you won't see those accidentally. Using the "advanced settings" to turn this feature off as you suggested isn't better in that regard.
Having undocumented features in a software should be avoided at least for reasons of trust. And if this feature cannot be removed it should be at least be configurable with default off to make it as hard as possible for an attacker to misuse it.

* have you checked your webbrowser lately? Every browser I know of lets you see all saved passwords somewhere in their settings pages.
The browsers used in a corporate environment usually can be configured/hardened to prevent this behavior.


Stefan

unread,
Feb 19, 2020, 10:21:23 AM2/19/20
to TortoiseSVN


On Wednesday, February 19, 2020 at 1:48:10 PM UTC+1, Walther Klust at Elego wrote:


Am Mittwoch, 19. Februar 2020 08:19:11 UTC+1 schrieb Stefan:
maybe a little more detailed:

* this really isn't a security issue because this only works with your own Windows account. And if you can't secure that, then you have a security issue but not because of TSVN.
This feature gives an attacker a very easy way to view your passwords in plaintext without the need to install any other tools. Only a few moments of access to the desktop is required. This is not an unrealistic scenario. 

if an attacker has access to your desktop, then your security is already gone!
Also, you don't need to install other tools: A simply copy/paste of a powershell script will do as well.
 
 
* any tool can do it, so why remove it from TSVN?
Within a corporate environment the ability to install additional tools usually is restricted.

We're dealing with source control here, major audience are developers. And developers always can install tools.
 
Why is this feature even in TSVN ? What purpose does it serve ? Should we not strive towards keeping the features of a software minimal for better maintainability and robustness ?

Why? Just search this list for "i forgot my password" and you'll know why.
 

* it's undocumented, so you won't see those accidentally. Using the "advanced settings" to turn this feature off as you suggested isn't better in that regard.
Having undocumented features in a software should be avoided at least for reasons of trust. And if this feature cannot be removed it should be at least be configurable with default off to make it as hard as possible for an attacker to misuse it.


And you seriously think having it configurable in the advanced settings will make it more difficult for an attacker to use this feature than having it undocumented completely?
Am I missing something here?
 
* have you checked your webbrowser lately? Every browser I know of lets you see all saved passwords somewhere in their settings pages.
The browsers used in a corporate environment usually can be configured/hardened to prevent this behavior.


Nope. They can be configured to never store passwords, but not to never reveal the stored ones.
Reply all
Reply to author
Forward
0 new messages