Bug in WebUI can lead to disclosure of credentials


#1

Originally published at: https://www.privacyidea.org/bug-webui-can-lead-disclosure-credentials/

A bug in the WebUI can lead to disclosure of the credentials of previously logged in users.

Under certain conditions a local, physical attacker can get access to passwords of previously logged in users from the WebUI.

Details

Preconditions

This problem occurs, if the following conditions apply:
  1. A logged in user in the WebUI locks the WebUI or logs out and does not close the browser tab.
  2. The attacker gets local access to the browser tab.

Affected versions

privacyIDEA < 2.21.4

Technical background

The Web UI writes many debug information to the console log in the browser. Also the login credentials are logged to the console and do not get deleted when the user logs out or locks the WebUI.
An attacker can now go to the user's desktop and to the browser tab and open the console log. In the console log the attacker can find the sensitive information!

Advisory

Access to the browser tab by any third person needs to be avoided:
  • No third person should use the user's computer/desktop
  • The desktop should be locked, when the user leaves his desktop
  • The browser tab should be closed, when the user has finished working in the UI.

Fix

This bug is fixed in the current version 2.21.4 of privacyIDEA.
We recommend to follow the advices for mitigation and upgrade to the current version of privacyIDEA in a timely manner.

Credits

This bug was discoverd in an external review by René Arends from the Hogeschool Rotterdam.