security issue on remote storage credentials

Hello @tanvirroky

Thanks for your feedback.

The passwords for all the cloud storage are already encrypted(not in plain text) on the storage adding and editing page, please see the screenshot. And they are also encrypted in the website databases where they are stored.

All the best,

?? you call this encrypted? It can be shown as plain text just by changing the type to text from inspect element option of any browser. It’s just hidden by CSS. https://snipboard.io/jDefmY.jpg
Also not encrypted in the database. https://snipboard.io/1SBWKc.jpg

Hi @tanvirroky

Thanks for your update.

In that case, your suggestion would be a nice solution. Let us discuss and implement it.

The password is encrypted in the database, as you can see in this screenshot, the password in the screenshot is not the real password, it has been encoded. Is the one in your screenshot the real password?

All the best,

Thanks for your concern.
Yes, the password is in plain text in the database in both of my screenshots (?%_______%%). The screenshot you shared is also showing in plain text i guess. One more thing, If the password is encrypted oneway in the database how could it be used next time when need to connect. Encryption on database is not nessacery i thing. You can add a function to ask FTP password/access key when retrieving a backup file from the remote server or trying to download it. Because if password is not encrypted and someone downloads the backup file and restores it on another host, they can get the FTP information there. Asking FTP password to retrieve or download backup file will be another level of security.

Hi @tanvirroky

Sorry that after checking it with our developers, I realized that it has not implemented in the free version yet(the screenshot I sent you was from the pro version). So, let us discuss and implement it as well.

The password in my screenshot is in plain text but has been encoded, therefore is not the real password, for example, the real password is 123 while in the database it has been encoded to 6789. It does not affect next connection.

All the best,

Hi @tanvirroky

After discussing it, we have decided to implement your suggestion of ‘do not show the FTP server username and password in the setting’. Also we have decided to implement encryption of the storage password in database in the next few versions.

Thanks again for your suggestions to help improve the plugin.

All the best,

Thanks a lot.

No problem and thanks again!

Hi @tanvirroky

The new version 0.9.72 is ready. In the new version, we have implemented the features you suggested, you can update the plugin and check it out.

All the best,

Thank you so much

No problem.

All the best