posthog icon indicating copy to clipboard operation
posthog copied to clipboard
verified publisher icon PostHog

PW are being displayed as usernames on PostHog

Open skachid opened this issue 3 years ago • 1 comments

Bug description

I was invited by a colleague to join PostHog and I was asked to sign-up, entering my email and password. Below is a screenshot of what this looks like: 1968

I entered my login details, and the administrator was notified of my login. Only, it showed my password as my username to them (blacked out for security, obvs): Screen Shot 2022-09-15 at 3 48 02 PM

How to reproduce

  1. Send an invite to a user
  2. Have them join and create an account
  3. When admin is notified, the PW will show up

Thank you for your bug report – we love squashing them!

skachid avatar Sep 15 '22 20:09 skachid

Having a look a this now. @skachid Can you confirm that when you logged in, that your Display Name was not your password? Investigating the code so far I can only see the possibility that your password got entered in the "First Name" field (possibly by an over-eager browser auto-completion?).

Did you login and subsequently change your Display Name at https://app.posthog.com/me/settings ? If so then I am pretty sure this is what happened.

To be clear - we never store passwords in plain text so the only thing that I can think of that happened is that your password somehow landed in that "First Name" field...

benjackwhite avatar Sep 16 '22 07:09 benjackwhite