Jump to content

SMTP password appears as plaintext in the email info window?


Oscar Stankard

Recommended Posts

Hi there,

I'm a user of service manager and when I click on an email, and click the two reciprocating arrows icon above the message (sending log presumably) I note that the login credentials appear as plaintext in this view.  This is not a great idea, they should be removed from the log.

I am an admin user, they should still not be visible in the logs.  There should be no place to see passwords as plaintext, this is a basic best practice.

 

Kind regards,

Oscar

Link to comment
Share on other sites

Hi Oscar,

As far as we are aware the log does not show an actual password, the mail transport stuff obfuscates the password so its not the actual password being used.  However, we must investigate this, I agree wholeheartedly, if this is the case it needs to be fixed.  Could you post a screenshot (with the password bit blanked out obviously) so we can see exactly what you are seeing, I would like someone here to investigate asap. 

Thanks,

Gerry

Link to comment
Share on other sites

Hi there,

Thanks for your prompt response Gerry, it seems that it's not quite sanitising it at that end, that would certainly be the right place for it to be so.

Here's what I see, it's in the format of username/password.

It's good to see the full logs though, especially without having to go into another system, so top marks in that regard.

 

Thanks again for your help.

Kind regards,

Oscar

Hornbill Password in Logs.png

Link to comment
Share on other sites

Hi Oscar,

We have looked into the problem you have reported and I can confirm this is in fact was an issue.  Our implementation was creating an obfuscation of the password for the purpose of logging but then not using it! so I am afraid we have to hold our hands up to this one, it was a defect of our own creating that had thus far slipped through the net.  

We have already taken the following actions..

1. The defect has been identified and fixed.

2. A patch has been deployed into production.

3. We have applied data cleanups to all affected instances to remove the exposed credentials. 

So this problem should now be resolved. We have monitored the logs generated and confirmed this is no longer happening on your instance.

We do take security issues very seriously, this one has been raised internally as a security event and we have prioritised and acted in accordance with our ISM policies to effect a speedy resolution. Thank you for reporting it and providing the additional information we needed to track this down and resolve it.  

Kind Regards,

Gerry

Link to comment
Share on other sites

Hi there Gerry,

Have checked back and the whole line is now removed, username and password which might be even better practice than just replacing the password with 8 asterisks! : )

Can see you've just responded too, thanks very much for your help getting this picked up so quickly.

 

Kind regards,

Oscar

Link to comment
Share on other sites

Hi Oscar,

Yes we removed the credentials/asterisks completely, that makes more sense. There was some confusion about the need for diagnostics information which for the purpose of the delivery log was not correct.  Thanks for confirming its resolved. 

Gerry

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...