Open BibiJohn14 opened 1 month ago
Another issue is that anyone can see the passwords sent via POST requests. For example, during Azure login, the entire page is posted, but we can see the passwords in the request body via requests that are captured in developer tools. This is different from disabling logging.
Current behavior
Description:
While replaying an automation run on the Cypress Cloud Dashboard, the "Save Your Password" prompt appeared, displaying my colleague's username and password. This poses a significant security risk as sensitive credentials were exposed. This issue is reproducible.
Security Impact:
Sensitive credentials are exposed to unauthorized users, which can lead to security breaches.
Actions Taken:
Informed the affected colleague to change their password immediately.
Desired behavior
Secure Handling of Sensitive Data:
No Display of Sensitive Information: During the replay of any automation run, sensitive information such as usernames and passwords should never be displayed in plain text or prompts. These should be masked or hidden. Environment Variables: Any sensitive information required for the automation run should be stored and accessed securely using environment variables or encrypted storage mechanisms.
Prompt Handling:
Avoid Unnecessary Prompts: The system should avoid triggering browser prompts for saving passwords during automated tasks. This can be achieved by ensuring that automation scripts handle login credentials securely and programmatically.
Data Encryption:
Encrypt Sensitive Data: Any sensitive data, including usernames and passwords, should be encrypted both in transit and at rest. This prevents unauthorized access even if data is intercepted or accessed without permission.
User Notification and Reporting:
User Awareness: Inform users when their credentials are being used or accessed, and provide them with options to manage their security settings. Incident Reporting: Implement a mechanism for users to report any security incidents or suspicious activities promptly
Test code to reproduce
Steps to Reproduce:
Cypress package version: 13.13.2 Cypress binary version: 13.13.2 Bundled Node version: 18.17.1 Chrome Version: Version 127.0.6533.74 OS Name: Microsoft Windows 11 Pro OS Version: 10.0.22631 N/A Build 22631
Cypress Version
13.13.2
Node version
v18.20.3
Operating System
Microsoft Windows 11 Pro: 10.0.22631 N/A Build 22631
Debug Logs
No response
Other
No response