bitrated
bitrated copied to clipboard
2FA-Password is saved in autocompletion of browser
When you sign up to bitrated, you need to enter a 2FA-Password. This is done via an usual text form:
Therefore the entered 2FA-password is saved by the webbrowsers autofill feature (maybe in plain text, depends on browser).
To prove this you just need to go to https://www.bitrated.com/join again, an the password can be autofilled by your browser.
Additionally the password ist shown while you enter it.
This field should be changed from type="text" to type="password" for security reasons.
This might be not a big risk, but I already talked to one guy who said he won't use bitrated 'cause of this. It is a matter of trust, how entered passwords are handled...
Same issue at the login screen. A normal text field is used for the passphrase.