View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003162||2 - Next Dev List (Holding Area)||Bug||public||2019-02-06 10:52||2020-07-02 02:11|
|Summary||0003162: Logbook saves user passwords for call sign lookup services as plain text|
The Logbook saves a user-entered password for third-party call sign lookup website as plain text on the user's machine. Any software or social engineering process that gains access to the settings file will have the user's password plainly available. While transparent encryption without another password to key the encryption doesn't completely hide the secret, it does help prevent otehr entities from directly viewing the credential and is a best security practice.
The product should be fixed to not store this credential in plain text. Instead, user-local encryption should be used.
|Steps To Reproduce|
0) if you already have a QRZ.com lookup password configured, go to step #6.
1) Start up the logbook
2) Use the "Tools" menu to find the "Config" tear-off
3) In the "Config" tear-off, use the "Callsign Lookup" command to get to the Callsign Lookup configuration
4) Enter a username and password for the QRZ.com lookup service. Doesn't ahve to be accurate.
5) Press OK to save and close the dialog.
6) Look for the ClientLogbookCallsignLookup.xml in the "%userprofile%\AppData\Roaming\HRDLLC\HRD Logbook" directory.
BUG#1) This file contains the entered QRZ.com password as plain text
This can be repeated with the passwords for the QRZ CQ, Ham Call, an Ham QTH lookup sources.
|Tags||No tags attached.|