security issue - wlan credentials visible in tidal login

cavelord · April 16, 2019, 12:41pm

Hi All,

first of all thank you very much for this excellent music system !!
To help improve it Ieven more I share my latest observation.

I observed a security issue with volumio 2.565 on Raspberry Pi 2.
I installed the following plugins:
Spotify
Volumio Spotify Connect2
Backup&Restore Data
Volumio simple equalizer
Amplifier switch
Touch display
Some of them are installed for future use; I only activated Spotify and Backup.
The system is accessible only via WLAN with WPA2.

Now to the security issue:
When I access “My Music” then within the Tidal and Quobuz sections the Username and Password are filled; Username is filled with my WLAN SSID and Password with dots (I suspect it is the WLAN password).
Either if I delete these entries or fill them with fake entries and login to tidal - which returns “success” - in either case the Username and Password are unchanged to the SSID and the dots if I leave the page and return.

Is there a way I can change this ?
If not - can this be fixed ?

Thank you very much.

volumio · April 16, 2019, 4:24pm

I think you misunderstood: the fields are probably filled by the browser auto-filling options. We do not send back the TIDAL and QOBUZ credentials.
To verify, just use a new window in incognito mode and you won’t see them

cavelord · April 16, 2019, 5:10pm

Hi michelangelo,

You are right. I opened an incognito window and anything is fine.

thank you very much.