View Issue Details

IDProjectCategoryView StatusLast Update
16666Bug reportsSecuritypublic2021-01-14 19:15
Reporterphitho Assigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version3.23.3 
Summary16666: Registration (continue later): Bounced E-Mail with visible password
Description

One of my participants wanted to continue later and signed up with his e-mail address. There was a 554 error and the e-mail bounced to the administrator - with visible log-in credientials (e-mail and password).
The visible password should never be sent to the participants to prevent this.

Tagssecurity
Complete LimeSurvey version number (& build)Version 3.23.3+200909
I will donate to the project if issue is resolvedNo
Sync to Zoho Project
Browser
Database & DB-VersionI'm not the admin
Server OS (if known)
Webserver software & version (if known)
PHP VersionI'm not the admin

Relationships

duplicate of 11848 new Feature requests Saved Surveys - E-Mail Notification Password in Plain Text 

Activities

uibklime1

uibklime1

2020-11-05 14:07

reporter   ~60560

Seconding. In fact, the BIG problem here is that the user is prompted for a password at all -- the user may be fooled into using a browser-prompted password for the user's logons on the same domain, which is completely INSECURE. So EITHER, the user should be sent a randomly generated password (or better yet, link) OR the password is not ever sent out plain text, but salted and hashed before POSTing. Alternatively, you can try to creatively figure out how to reverse-engineer Chrome's usability engineers with javascript+HTML to disable auto-fill of the password fields: https://stackoverflow.com/questions/15738259/disabling-chrome-autofill

Issue History

Date Modified Username Field Change
2020-09-14 09:49 phitho New Issue
2020-11-05 14:07 uibklime1 Note Added: 60560
2020-11-05 14:09 uibklime1 Tag Attached: security
2021-01-13 08:56 DenisChenu Category Encryption => Security
2021-01-13 08:59 DenisChenu Relationship added duplicate of 11848