SynBioHubFrontend login exposes passwords

[jakebeal]

This is a glaring and massive security problem:

    public void login(String email, String password) throws SynBioHubException
    {       
        String url = backendUrl + "/login";

        HttpPost request = new HttpPost(url);
        request.setHeader("Accept", "text/plain");

        List<NameValuePair> params = new ArrayList<NameValuePair>();
        params.add(new BasicNameValuePair("email", email));
        params.add(new BasicNameValuePair("password", password));

DO NOT EXPOSE PASSWORDS!

[jamesamcl]

Where exactly are the passwords exposed?

I agree that having API tokens would be better. However, sending passwords in forms over HTTPS is how most websites work, so I’m not sure how this is a “glaring and massive security problem”.

[jakebeal]

This isn't a website interface but an API for other programs. Requiring plaintext login information in the API means that I cannot store credentials in any encrypted form.

[jamesamcl]

Requiring plaintext login information in the API means that I cannot store credentials in any encrypted form.

OS X: https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/03tasks/tasks.html

Windows: https://msdn.microsoft.com/en-us/library/ms995355.aspx

iOS: https://developer.apple.com/library/content/samplecode/GenericKeychain/Introduction/Intro.html#//apple_ref/doc/uid/DTS40007797

Android: https://developer.android.com/reference/android/accounts/AccountManager.html

Linux: https://wiki.gnome.org/Projects/Libsecret

I still think SynBioHub should have API tokens instead, I'm just challenging the assertion that "this is a glaring and massive security problem". I can literally go into settings on my iPhone and look at my plain text mail passwords.

[jakebeal]

I don't need to quibble about scale, I just want to stop tossing around passwords in my Java code, because I am certain to screw up something and expose them.

[cjmyers]

In SBOLDesigner and iBioSim, we do not store the passwords that people enter. We only store the Key that is returned when you login. You don’t need to keep logging in each time as long as you have that key. The key currently persists indefinitely (or until the SynBioHub instance is restarted), but we have an issue about adding an age to the key to let them timeout eventually.

If you want to store a permanent login somewhere, then we may need to have something like an API key, but the current system is pretty similar to that actually. The only issue is we cannot currently create the key using SynBioHub.

On Feb 15, 2018, at 11:03 AM, Jacob Beal notifications@github.com wrote:

I don't need to quibble about scale, I just want to stop tossing around passwords in my Java code, because I am certain to screw up something and expose them.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SynBioDex/libSBOLj/issues/543#issuecomment-365894556, or mute the thread https://github.com/notifications/unsubscribe-auth/ADWD92hJpOzydapfvLEh1y7rVfWdfJWrks5tVA7-gaJpZM4SGFw_.