Oscar Stankard Posted December 7, 2016 Share Posted December 7, 2016 Hi there, I'm a user of service manager and when I click on an email, and click the two reciprocating arrows icon above the message (sending log presumably) I note that the login credentials appear as plaintext in this view. This is not a great idea, they should be removed from the log. I am an admin user, they should still not be visible in the logs. There should be no place to see passwords as plaintext, this is a basic best practice. Kind regards, Oscar Link to comment Share on other sites More sharing options...
Gerry Posted December 7, 2016 Share Posted December 7, 2016 Hi Oscar, As far as we are aware the log does not show an actual password, the mail transport stuff obfuscates the password so its not the actual password being used. However, we must investigate this, I agree wholeheartedly, if this is the case it needs to be fixed. Could you post a screenshot (with the password bit blanked out obviously) so we can see exactly what you are seeing, I would like someone here to investigate asap. Thanks, Gerry Link to comment Share on other sites More sharing options...
Oscar Stankard Posted December 7, 2016 Author Share Posted December 7, 2016 Hi there, Thanks for your prompt response Gerry, it seems that it's not quite sanitising it at that end, that would certainly be the right place for it to be so. Here's what I see, it's in the format of username/password. It's good to see the full logs though, especially without having to go into another system, so top marks in that regard. Thanks again for your help. Kind regards, Oscar Link to comment Share on other sites More sharing options...
Gerry Posted December 8, 2016 Share Posted December 8, 2016 Hi Oscar, We have looked into the problem you have reported and I can confirm this is in fact was an issue. Our implementation was creating an obfuscation of the password for the purpose of logging but then not using it! so I am afraid we have to hold our hands up to this one, it was a defect of our own creating that had thus far slipped through the net. We have already taken the following actions.. 1. The defect has been identified and fixed. 2. A patch has been deployed into production. 3. We have applied data cleanups to all affected instances to remove the exposed credentials. So this problem should now be resolved. We have monitored the logs generated and confirmed this is no longer happening on your instance. We do take security issues very seriously, this one has been raised internally as a security event and we have prioritised and acted in accordance with our ISM policies to effect a speedy resolution. Thank you for reporting it and providing the additional information we needed to track this down and resolve it. Kind Regards, Gerry Link to comment Share on other sites More sharing options...
Oscar Stankard Posted December 8, 2016 Author Share Posted December 8, 2016 Hi there Gerry, Have checked back and the whole line is now removed, username and password which might be even better practice than just replacing the password with 8 asterisks! : ) Can see you've just responded too, thanks very much for your help getting this picked up so quickly. Kind regards, Oscar Link to comment Share on other sites More sharing options...
Gerry Posted December 8, 2016 Share Posted December 8, 2016 Hi Oscar, Yes we removed the credentials/asterisks completely, that makes more sense. There was some confusion about the need for diagnostics information which for the purpose of the delivery log was not correct. Thanks for confirming its resolved. Gerry Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now