Security weakness

  • Resolved tufty

    (@tufty)


    1 month ago

    Hi, first of all, this is a GREAT plugin, thank you.

    My only issue with it is that if an error occurs from a url with an auth_secret on the end of it, then the auth secret is sent by email over the open internet, which I don’t think is good practice. Maybe it would be good to strip by default any query containing the words auth or secret, and the pro version to allow additonal customisation.

Viewing 2 replies - 1 through 2 (of 2 total)
  • EchoDash

    (@echodash)

    Thanks @tufty !

    Yes actually this was pointed out by one of our Pro customers last year, and we have updated it already in that plugin.

    It’s not 100% infallible but we now strip out any parameters in the URL or error notification message (in the case of HTTP timeout errors) that match (in whole or part):

    'password',
    'api_key',
    'apikey',
    'secret',
    'access_token',
    'client_secret',
    'auth',
    'authorization',
    'key',
    'token'

    And these are replaced by [REMOVED]. We are overdue for an update to the free plugin, I will try to get that sent out in the next few weeks. Thanks for pointing it out ??

    Plugin Author Jack Arturo

    (@verygoodplugins)

    Apologies, I was logged into the wrong .org account when I replied, and it doesn’t look like I can delete it. That comment above was from me (Jack), the developer ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.