security issue - wlan credentials visible in tidal login

If something seems really buggy, report it here!

Ads helps Volumio remain Free and Open Source. Please consider donating to help us continue to serve you.

security issue - wlan credentials visible in tidal login

Postby cavelord » Tue Apr 16 2019 12:41

Hi All,

first of all thank you very much for this excellent music system !!
To help improve it Ieven more I share my latest observation.

I observed a security issue with volumio 2.565 on Raspberry Pi 2.
I installed the following plugins:
Spotify
Volumio Spotify Connect2
Backup&Restore Data
Volumio simple equalizer
Amplifier switch
Touch display
Some of them are installed for future use; I only activated Spotify and Backup.
The system is accessible only via WLAN with WPA2.

Now to the security issue:
When I access "My Music" then within the Tidal and Quobuz sections the Username and Password are filled; Username is filled with my WLAN SSID and Password with dots (I suspect it is the WLAN password).
Either if I delete these entries or fill them with fake entries and login to tidal - which returns "success" - in either case the Username and Password are unchanged to the SSID and the dots if I leave the page and return.

Is there a way I can change this ?
If not - can this be fixed ?

Thank you very much.
Random avatar
cavelord
Fresh off the boat
Fresh off the boat
 
Posts: 2
Joined: Tue Apr 16 2019 12:24

Ads helps Volumio remain Free and Open Source. Please consider donating to help us continue to serve you.


security issue - wlan credentials visible in tidal login

Postby michelangelo » Tue Apr 16 2019 16:24

I think you misunderstood: the fields are probably filled by the browser auto-filling options. We do not send back the TIDAL and QOBUZ credentials.
To verify, just use a new window in incognito mode and you won't see them
User avatar
michelangelo
Founder
 
Posts: 4141
Joined: Sun Dec 15 2013 23:18


security issue - wlan credentials visible in tidal login

Postby cavelord » Tue Apr 16 2019 17:10

Hi michelangelo,

You are right. I opened an incognito window and anything is fine.

thank you very much.
Random avatar
cavelord
Fresh off the boat
Fresh off the boat
 
Posts: 2
Joined: Tue Apr 16 2019 12:24


Return to Bug reports

Who is online

Users browsing this forum: No registered users and 0 guests