G2G2G2G
commented
2 years ago This has nothing to do with brute force or dictionary attacks in any way. data logging/sniffing/reading sure
Open developerfromjokela opened 2 years ago
G2G2G2G
commented
2 years ago This has nothing to do with brute force or dictionary attacks in any way. data logging/sniffing/reading sure
developerfromjokela
commented
2 years ago It has. If you don't expose your username, they cannot login even if they had correct password.
developerfromjokela
commented
2 years ago It makes that job easier
MichaIng
commented
2 years ago What was/is purpose of keeping that variable in HTML?
It is the way how it is passed from the backend to browser's JavaScript to check whether the current user is the admin user, to show/hide enable/disable certain GUI elements:
However, I agree this is not so awesome. The admin username cannot be changed via GUI, but at least manually via config file. Since it is not used anywhere else in the frontend, it makes more sense to pass an "isAdmin" flag instead of the name. Even smarter would be to apply an admin or non-admin class to admin-only HTML elements right with the backend to have them shown/hidden in the first place, without needing to toggle classes via JavaScript, making even passing this flag obsolete.
Hello! motionEye seems to expose admin username in its HTML as javascript variable. I think this is a potential security risk for brute-force and/or dictionary attacks towards the login system.
What was/is purpose of keeping that variable in HTML?