Autogenerated password in history

It’s even worse! For one: The autogenerated password that’s transmitted in the request is actually automatically set. I thought it bad enough that it suggests a password that’s stored in the history and the user might be prone to just accept.

But what takes the cake ist: You can actually enter another password of your chosing into that input field. There might be no submit button or anything, but just hinter Enter. So, crisis averted? No, absolutely not. This new password of one’s own choice is also transmitted via GET. So you can even put a password you’d actually use in you browser’s history – and, if you’re on an unsecure connection, it will also be transmitted in plain text, SSL does nothing to prevent this due to the way this plugin works.

@motivmedia Unless it’s spam, abuse or something broken in the forums please do not report topics again.

It is not a means to get faster support, it only gets forum moderators attention and no one else.

There is nothing in this topic that needs a forum moderator to do anything.

Sorry @jdembowski I was not after quicker support or anything but think this plugin has serious security issues which I tried to outline. Imho, this plugin should probably be reviewed and reporting it for “security related” seemed to lead in that direction.

@motivmedia,

My colleague was the responsible this plugin but now he is busy.

Could you tell me how do you arrive to this situation?

I have seen it.

Now it is fixed.

Please update to the last version.

I can’t confirm the fix and also can’t update. I’ve already uninstalled. If it is fixed I gotta commend you on doing this quickly!

@motivmedia, install again and you will see it done.

If you have any other problem, please let me know.