View Issue Details

IDProjectCategoryView StatusLast Update
0003164Ham Radio DeluxeBugpublic2019-02-24 15:13
ReporterK7ZCZAssigned ToK7ZCZ 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version6.4.0.907 
Target VersionFixed in Version6.5.0.196 
Summary0003164: Logbook stores SMTP credentials as plain text
DescriptionThe Logbook persists user-entered SMTP credentials in plain text on the user's machine.

Any software or social engineering process that gains access to the settings file will have the user's credentials plainly available. While transparent encryption without another password to key the encryption doesn't completely hide the secret, it does help prevent other entities from directly viewing the credential and is a best security practice.

The product should be fixed to not store this credential in plain text. Instead, user-local encryption should be used.
Steps To Reproduce0) if you already have a password-protected SMTP alarm configured, go to step #6.

1) Start up the logbook
2) Make sure the "DX Cluster" pane is visible
3) Click the "Alarms" button to reveal the "Manager" command in a dropdown menu
3) In the resulting "DX Cluster Alarms" dialog, activate the "Alarms: E-Mail" tab
4) enter a user name and password in the "SMTP server account / password" fields
5) Press OK to save and close the dialog.

6) Look for the LogbookUserSettings.xml in the "%userprofile%\AppData\Roaming\HRDLLC\HRD Logbook" directory. This file contains the username and password entered at Step #4, in plain text.

TagsNo tags attached.
ModuleLogbook
Sub-ModuleDX Cluster
Testing Beta Successful

Activities

K7ZCZ

2019-02-14 12:28

administrator   ~0007391

fixed with this checkin, which protects the sensitive fields in the XML config file
https://hrdsoftware.visualstudio.com/HRD/_versionControl/changeset/4823

WA9PIE

2019-02-20 00:08

administrator   ~0007445

Validated

Issue History

Date Modified Username Field Change
2019-02-06 11:08 K7ZCZ New Issue
2019-02-14 12:28 K7ZCZ Assigned To => K7ZCZ
2019-02-14 12:28 K7ZCZ Status new => resolved
2019-02-14 12:28 K7ZCZ Resolution open => fixed
2019-02-14 12:28 K7ZCZ Note Added: 0007391
2019-02-19 19:05 K7ZCZ Fixed in Version => 6.5.0.194
2019-02-20 00:08 WA9PIE Status resolved => closed
2019-02-20 00:08 WA9PIE Description Updated View Revisions
2019-02-20 00:08 WA9PIE Steps to Reproduce Updated View Revisions
2019-02-20 00:08 WA9PIE Testing Not Started => Beta Successful
2019-02-20 00:08 WA9PIE Note Added: 0007445
2019-02-24 14:36 WA9PIE Fixed in Version 6.5.0.194 => 6.5.0.196
2019-02-24 15:13 WA9PIE Project 3 - Current Dev List => Ham Radio Deluxe