Originally published at: https://www.privacyidea.org/bug-webui-can-lead-disclosure-credentials/
A bug in the WebUI can lead to disclosure of the credentials of previously logged in users.
Under certain conditions a local, physical attacker can get access to passwords of previously logged in users from the WebUI.
PreconditionsThis problem occurs, if the following conditions apply:
- A logged in user in the WebUI locks the WebUI or logs out and does not close the browser tab.
- The attacker gets local access to the browser tab.
Affected versionsprivacyIDEA < 2.21.4
- No third person should use the user's computer/desktop
- The desktop should be locked, when the user leaves his desktop
- The browser tab should be closed, when the user has finished working in the UI.