View Issue Details

IDProjectCategoryView StatusLast Update
00031623 - Current Dev ListBugpublic2019-02-06 10:52
ReporterK7ZCZAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version6.4.0.907 
Target VersionFixed in Version 
Summary0003162: Logbook saves user passwords for call sign lookup services as plain text
Description
The Logbook saves a user-entered password for third-party call sign lookup website as plain text on the user's machine. Any software or social engineering process that gains access to the settings file will have the user's password plainly available. While transparent encryption without another password to key the encryption doesn't completely hide the secret, it does help prevent otehr entities from directly viewing the credential and is a best security practice.

The product should be fixed to not store this credential in plain text. Instead, user-local encryption should be used.
Steps To Reproduce
0) if you already have a QRZ.com lookup password configured, go to step #6.

1) Start up the logbook
2) Use the "Tools" menu to find the "Config" tear-off
3) In the "Config" tear-off, use the "Callsign Lookup" command to get to the Callsign Lookup configuration
4) Enter a username and password for the QRZ.com lookup service. Doesn't ahve to be accurate.
5) Press OK to save and close the dialog.

6) Look for the ClientLogbookCallsignLookup.xml in the "%userprofile%\AppData\Roaming\HRDLLC\HRD Logbook" directory.

BUG#1) This file contains the entered QRZ.com password as plain text

This can be repeated with the passwords for the QRZ CQ, Ham Call, an Ham QTH lookup sources.
TagsNo tags attached.
ModuleLogbook
Sub-ModuleCall lookup
TestingNot Started

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-02-06 10:52 K7ZCZ New Issue