VCS Settings - password leak
I updated the VSD root ID on two builds today, and Chrome prompted me to store the Github username and password. Upon further inspection, the users password was stored in my Chrome password keychain and was visible to me.
This seems like a massive security leak to me
Please sign in to leave a comment.
Hi Jay,
thanks for sharing your finding, I've created an issue on our tracker for review, although there are a few catches about your security concerns here:
-Permission control already makes it so only users with project administrator access (or the appropriate edit permission) can edit the VCS Root data. That is, it's expected that users who have permission to edit that page have access to that information already.
-The issue is not that the browser stores the password, but that TeamCity actually places the password on the password field. It's relatively trivial to find a way to actually display this password once you have it on an editable text field and you can store it elsewhere, not just your browser's keychain. This might be solved by simply not filling the field with a password on it.
Please keep in mind that because this passwords need to be reused by TeamCity, they need to be stored encrypted, not hashed, so trying to reduce as much as possible the usage of passwords and making sure that your internal systems are well protected is important in securing your installation.
A workaround for the current situation is manually storing passwords as secure parameters then setting that configuration as a reference to the parameter instead of setting the password directly.
A quick follow up. While the issue's visibility is private to only TeamCity due to possible security concerns, you can use the link https://youtrack.jetbrains.com/issue/TW-53458 as a reference if you follow up about it or in case we decide to open its discussion publicly.
And a new follow up. I had checked that the password field got filled after restarting, and it definitely did, but after passing internally, i was pointed out that the field is *not* filled with the password, but with random numbers, which I could then confirm by simply inspecting the editable field.
So your browser should have actually stored a useless non-password. Could you double check that?
Denis,
I have checked, and yes you are correct that the password stored is a useless non-password. The original password that I saw when I opened the ticket was numeric, as was the user's real password who was stored. However, they did not match.
Sorry to cause any concern, and thank you for following this up.