wordpress icon indicating copy to clipboard operation
wordpress copied to clipboard
Published 4 years ago verified publisher icon sendgrid

Unable to paste in API Key, whatever I paste gets deleted and 'autofilled' with junk (v.1.11.8)

Open sgehrman opened this issue 7 years ago • 12 comments

Tried Chrome and Firefox, same behaviour on both. I paste in the key and some kind of autofill comes and replaces the string with junk. I've used this plugin for a while, but now getting this problem.

Version 1.11.8

sgehrman avatar Jul 22 '18 08:07 sgehrman

I see this issue mentioned on wordpress.org. 4 weeks ago!!! What is going on? This plugin is completely useless and broken.

sgehrman avatar Jul 22 '18 08:07 sgehrman

Found a workaround. chrome:settings, disable javascript, paste in API key and save. Then re-enable Javascript. Anyone thinking of using SendGrid should find a better company. These guys don't give a F#CK.

sgehrman avatar Jul 22 '18 08:07 sgehrman

This is how it works. The API key gets hidden for security purposes. SendGrid is one of the best value for money.

wolffe avatar Jul 22 '18 08:07 wolffe

So, being unable to paste in the API key is a feature? That's ridiculous. It's clearly broken and a bunch of people are complaining about this online.

sgehrman avatar Jul 22 '18 08:07 sgehrman

People who don't know how web works. I've been using the plugin for 3+ years without a hitch. The API key gets scrambled and replaced with dots in some browsers for security purposes.

wolffe avatar Jul 22 '18 08:07 wolffe

OK, maybe you're high or drunk. https://wordpress.org/support/plugin/sendgrid-email-delivery-simplified/reviews/?filter=1

sgehrman avatar Jul 22 '18 08:07 sgehrman

Upgrade your PHP, then. I can't reproduce the issue on PHP 7.2.

wolffe avatar Jul 22 '18 08:07 wolffe

Is a valid issue. https://wordpress.org/support/topic/problem-with-auto-save-api-key/

lukecav avatar Aug 21 '18 20:08 lukecav

Today I have the same problem. I disabled the password save in my site, and then I can config it. Is a great plugin, but nobody knows if they cannot use it!

I reported directly with Sendgrid. I will looking for an answer.

Urano-Gonzalez avatar Nov 21 '18 00:11 Urano-Gonzalez

@wolffe security through obscurity isn't actually security. The key is still stored in plain text, and anyone with access to edit your site's options can view it (visit https://example.com/wp-admin/options.php and then ctrl+f sendgrid). It's poor UI and does not add any extra layer of security.

QWp6t avatar Jul 29 '19 11:07 QWp6t

Whoever has access to edit the options is obviously an admin and they are allowed to see it, edit it or remove it. And this value obfuscation still helps against non-tech users.

wolffe avatar Jul 29 '19 18:07 wolffe

You're missing the point. The point is that it creates no new layer of security, so therefore you can't claim that the UI behavior is necessary for security reasons. Zero security measures have been taken when storing the API key in the database; that's not a criticism, just an observation. The UI obfuscation behavior provides a false sense of security at best. But the primary issue is that it is not benign because it also introduces a significant bug, hence this issue.

Anyway, I've made my case. You are completely wrong here, and I won't be bothering the kind folks who are watching this issue by debating this any further. I just wanted to make people aware that this is not actually any sort of security measure and therefore it's not a bug that should be ignored or disregarded.

QWp6t avatar Jul 30 '19 01:07 QWp6t