User passwords are exposed to bubble admins via the editor

shimon.m · 2024-12-09T21:15:53.897Z

This screenshot was taken in the server logs screen when troubleshooting my reset password flow. The password that I used was 12345 which is almost entirely shown here.

Screenshot:
Screenshot 2024-12-09 at 3.42.44 PM

georgecollier · 2024-12-09T21:32:45.836Z

The first two and last two characters are shown.

I agree it should probably all be redacted as the first two and last two characters may be all that’s necessary to work out a password.

However, you should also have a password policy defined in your app settings that requires min 8. characters to make this harder.

code-escapee · 2024-12-09T22:47:03.173Z

Yes, it should be possible to specify whether any characters are visible in logs in the settings.

It is not very useful because I do not believe those four characters can be retrieved later. So allowing visibility in the logs can be a security risk, with no benefit (unless I am mistaken) to offset the drawback.

system · 2024-12-23T21:16:39.133Z

This topic was automatically closed after 14 days. New replies are no longer allowed.