wallabagger
wallabagger copied to clipboard
wallabag
Credentials stored in plain text.
Given the commodity of privacy and security breaches these days, I would imagine this to be an extremely import requirement for the extension.
The lack of this is concerning, and begs the question if the same negligence for secret management is practiced in other services/software as well?
There is the requirement for a Client Id and Client Secret, why is this not enough to authenticate the client? The necessity for a Username and Password defeats the purpose of having client specific tokens, no?
Unfortunately, no. Refresh token lasts only two weeks (by default) and then it should be obtained again with user credentials. It is easy to make non-storing-credentials wallabagger, but who wants to enter credentials every two weeks?
@Rurik19
There are many ways to solve that problem (Such as indefinite tokens for the extension or OAuth), storing user credentials in plaintext locally is not an acceptable method... It's negligent and cavalier handling of user secrets. It's exposing your users to unnecessary risk.
This is not simply my opinion, this is an industry standard. There are minimum thresholds of sensitive data management to be considered non-negligent. Even GDPR makes mention to it.
There are countless, reputable, online resources that highlight this. Such as OWASP, CWE, Microsoft Blog, Troy Hunt's Blog In General. As well as a multitude of blogs, posts, forum topics, questions....etc Like Coding Horror or PIA Blog. As well as informational posts on how to tackle or think about this problem, such as this, or this, or this.
Entire libraries and standards have been created SPECIFICALLY for this problem, such as OAuth.
who wants to enter credentials every two weeks?
This is not an excuse to expose user credentials and put your users at risk. It's a problem to solve...
I'm not sure how some other applications do it, I imagine through OAuth, but Raindrop.io as an example immediately connects to your account when the extension is installed if you're already logged in.
I must admit, I did find it odd that the extension needed a client key and my account credentials. It seems that storing the account credentials undermines the idea of the client keys.
Ideally, if an attacker compromises one device, the others are untouched, but since the attacker basically owns the account at that point, they could revoke other devices etc.
I like the way github does things with personal access tokens.
I must admit, I did find it odd that the extension needed a client key and my account credentials. It seems that storing the account credentials undermines the idea of the client keys.
Yes. It makes the client key absolutely pointless because they give no additional security: to revoke access to a client, you still need to rotate the main account password because it's everywhere.
