search

pyamsoft / tetherfi

TetherFi - Internet sharing without Root
Apache License 2.0
428 stars 36 forks source link

Developer log should redact access point password info #350

Closed brlin-tw closed 3 weeks ago

brlin-tw commented 3 weeks ago

Currently, the user-specified access point authentication password is exposed in the developer log:

[D] Network info update accepted: GRP=Connected(ssid=DIRECT-TF-brlin, password=0123456789) CON=Connected(hostName=192.168.49.1)

As such information may be used in a Credential stuffing attack we probably should redact it by default.

Additional information

TetherFi

49 from Google Play

Android

14 (AP2A.240905.003)

Phone

Google Pixel 8 Pro

pyamsoft commented 3 weeks ago

Good catch, thank you.

I will redact passwords from the logs, thank you!

pyamsoft commented 3 weeks ago

Addressed in this commit: 9c4b42250a4a7e0b9b260b666ae658dd0eec44d0

Most likely for release 50

Thank you!