View Issue Details

IDProjectCategoryView StatusLast Update
00031622 - Next Dev List (Holding Area)Bugpublic2020-07-02 02:11
ReporterK7ZCZAssigned To 
Status newResolutionopen 
Summary0003162: Logbook saves user passwords for call sign lookup services as plain text
The Logbook saves a user-entered password for third-party call sign lookup website as plain text on the user's machine. Any software or social engineering process that gains access to the settings file will have the user's password plainly available. While transparent encryption without another password to key the encryption doesn't completely hide the secret, it does help prevent otehr entities from directly viewing the credential and is a best security practice.

The product should be fixed to not store this credential in plain text. Instead, user-local encryption should be used.
Steps To Reproduce
0) if you already have a lookup password configured, go to step #6.

1) Start up the logbook
2) Use the "Tools" menu to find the "Config" tear-off
3) In the "Config" tear-off, use the "Callsign Lookup" command to get to the Callsign Lookup configuration
4) Enter a username and password for the lookup service. Doesn't ahve to be accurate.
5) Press OK to save and close the dialog.

6) Look for the ClientLogbookCallsignLookup.xml in the "%userprofile%\AppData\Roaming\HRDLLC\HRD Logbook" directory.

BUG#1) This file contains the entered password as plain text

This can be repeated with the passwords for the QRZ CQ, Ham Call, an Ham QTH lookup sources.
TagsNo tags attached.
Sub-ModuleCall lookup
TestingNot Started


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-02-06 10:52 K7ZCZ New Issue
2020-07-02 02:11 WA9PIE Project 3 - Current Dev List => 2 - Next Dev List (Holding Area)