View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010250 | Taler | libeufin-bank | public | 2025-08-12 08:49 | 2025-09-02 20:28 |
| Reporter | Christian Grothoff | Assigned To | Antoine A | ||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | assigned | Resolution | open | ||
| Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
| Product Version | 1.0 | ||||
| Target Version | 1.1 | ||||
| Summary | 0010250: body of tan_challenges stores passwords in the clear? | ||||
| Description | From my understanding (but didn't try it out), the 'body' field of tan_challenges might store the new password in cleartext when a user is given a 2-FA challenge when changing the account password. That would be very bad. I think it would suffice for us to store the hash of the body, which would be more compact and avoid the vulnerability. | ||||
| Tags | security | ||||
|
|
We wanted to avoid having to hash the body, as this can cause problems especially with canonicalization. The solution was for the server to store the body and use the stored body once the challenge was solved. This means that the body is only transmitted *once*, but it is stored in plain text, which is less than ideal for passwords. If we hashed the parsed body (the Kotlin class) we would have something that does not require canonicalization and but it can break when we update the server. This is not a big problem as the user can just retry. This would be a breaking change as this mean the body is passed *twice* but this is something we can do for the SPA |
|
|
I can see the canonicalization issues, but storing the user's new password in the clear in the database is IMO a *bigger* issue. We should discuss this entire design, but I'm busy tomorrow, so probably Thursday might work. Need to make sure merchant + libeufin do it the same way, and both do it "right". |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-08-12 08:49 | Christian Grothoff | New Issue | |
| 2025-08-12 08:49 | Christian Grothoff | Status | new => assigned |
| 2025-08-12 08:49 | Christian Grothoff | Assigned To | => Antoine A |
| 2025-08-12 08:50 | Christian Grothoff | Tag Attached: security | |
| 2025-09-02 16:26 | Antoine A | Note Added: 0025773 | |
| 2025-09-02 16:27 | Antoine A | Status | assigned => feedback |
| 2025-09-02 16:46 | Christian Grothoff | Note Added: 0025774 | |
| 2025-09-02 16:46 | Christian Grothoff | Status | feedback => assigned |
