search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.36k stars 1.47k forks source link

Eye symbol not shown when "show password placeholders" is enabled #10794

Open droidmonkey opened 5 months ago

droidmonkey commented 5 months ago

Originally reported by @kunszabo

Summary

The presence/absence of the "reveal content" eye button before the fields gives out information about the given field being empty or having a content, even when the content is only displayed as placeholder dots.

Details

On the General tab of a displayed entry the "reveal content" eye button is not shown before an empty user name or password field. This gives out a clue about the current value when the "/View/Hide Usernames" and "/View/Hide Passwords" settings are turned on:

no eye button + placeholder dots = empty field clickable eye button + placeholder dots = some non-empty data If the "reveal content" eye button is displayed for empty fields, too, then this small info leak will be prevented.

PoC

Turn on "/View/Hide Usernames" and "/View/Hide Passwords". Enable "Use placeholder for empty password fields" in Security settings tab. Enable "Hide passwords" in the entry preview panel" in Security settings tab. Create a new entry with no user name and no password, and select this item in the list on the main panel. Effect: the entry preview panel will show the user name and password fields without a preceding "reveal content" eye button.

Edit the entry and enter some non-empty content to the user name and password fields, and save the entry. Effect: the preview panel changes; there is now a clickable "reveal content" eye button in front of the user name and password fields.

Impact

If someone can see the preview panel or hear the voice of a screen reader, they will know if the given fields are empty or not, even if the placeholder dots are displayed instead of the real content. The impact is probably negligible, it does not allow the retrieval of any non-empty information, and exploiting it requires physical presence, but I still think that this should be fixed, especially because the fix seems to be trivial.

Checked on MS Windows only, with KeepassXC version 2.7.8

phoerious commented 5 months ago

I think we should just remove the setting and always display bullet points and the eye button.

droidmonkey commented 5 months ago

Oh no, I hate showing bullets when nothing is there

phoerious commented 5 months ago

We already show a fixed number of bullets regardless of how long the password actually is. If you follow that logic, you should do the same if the length is 0.

droidmonkey commented 5 months ago

It's my way of knowing if there is actually a password or not. I know that's a workflow for many others as well.

phoerious commented 5 months ago

Well, then we should at least fix the button inconsistency.