View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010250 | Taler | libeufin-bank | public | 2025-08-12 08:49 | 2025-08-12 08:50 |
| Reporter | Christian Grothoff | Assigned To | Antoine A | ||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
| Product Version | 1.0 | ||||
| Target Version | 1.1 | ||||
| Summary | 0010250: body of tan_challenges stores passwords in the clear? | ||||
| Description | From my understanding (but didn't try it out), the 'body' field of tan_challenges might store the new password in cleartext when a user is given a 2-FA challenge when changing the account password. That would be very bad. I think it would suffice for us to store the hash of the body, which would be more compact and avoid the vulnerability. | ||||
| Tags | security | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-08-12 08:49 | Christian Grothoff | New Issue | |
| 2025-08-12 08:49 | Christian Grothoff | Status | new => assigned |
| 2025-08-12 08:49 | Christian Grothoff | Assigned To | => Antoine A |
| 2025-08-12 08:50 | Christian Grothoff | Tag Attached: security |
