cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
354
Views
0
Helpful
7
Replies
Andrew Chapman
Beginner

Disable auto-complete on Cisco Codec C40

Hello,

Is it possible to disable auto-complete for the Cisco Codec C40 sign-in page? I'm unable to find anything in the settings via GUI, so I'd like to know if it's perhaps a software issue (currently TC7.1.2.a996098) or if it's even possible at all.

Thanks,

Andrew

7 REPLIES 7

I've never had the codec login page remember the username or password, unless I saved them in the browser.  What happens if you clear your browsers cache and/or saved passwords?

Hi Patrick,

 

Thanks for your response. I'm hoping to find a server-side solution to this issue. I know it can be controlled by an HTML attribute, at least. The browser functionality you mentioned works as it should; if I tell it not to save, it won't. But this issue was brought to light as a result of a penetration test and I'd like to find a backend solution so that, even if a user has auto-complete/password saving turned on, the page will not allow it.

Thanks,

Andrew

Ah, I see what you're after.  I don't know if that's possible, it's typically the browser that detects username/password was used on a website, and prompts the user, not the website.  Might have to edit the organizations web browser configuration to prevent the saving of passwords.

Have you tried updating the software on your endpoint to a more recent version?

I've noticed on a number of mine on different, more recent versions (TC7.1.4 TC7.2.1, TC7.3.0), the endpoint does not seem to ask, or remember the username or password on the browser login screen, so perhaps this "feature" has already been implemented, just not in the old version you are running.

Note: you should upgrade to at least TC7.2.1 to fix security vulnerabilities such as the avisory notice for Bash: cisco-sa-20140926-bash

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

I think you're right Wayne.. almost.  I just tested logging into a codec running TC software with IE, Firefox, and Chrome.  All but Chrome didn't prompt me to save the login details.  Each of my browsers have that capability enabled.

So it might be an undocumented "feature" as Wayne says, or it could be how the website is presenting the login in which IE and Firefox didn't prompt me, yet Chrome did.

Hi Wayne,

 

I'll be upgrading tomorrow night. I'll let you know if it works!

 

Thanks,


Andrew

Andrew Chapman
Beginner

I upgraded to TC7.3.0 and both Firefox and Chrome are still able to autofill the passwords.

Alas, the fix appears to be an edit to the html code of the sign-in page. From our audit:

Number

Finding

Risk Level

1 

Authentication Form Field Auto-Complete

MEDIUM (5/10)

Category

Authentication

Description

The application's authentication form's fields have auto-completion enabled.  The auto-completion feature allows a user's browser to store the username or password locally without any enforced security controls, such as encryption.

 

System

URLs

<redacted>

<redacted>

 

Applications Impacted

<redacted>

Impact

Usernames and passwords are typically protected in transit with SSL, and protected at rest on the backend with encryption or one-way hashing.  However, with auto-completion, a user's username or password can be stored locally without any protection.

 

Also, if an attacker gains access to the user's web browser, the username or password can be compromised or unauthorized access can be gained without knowledge by letting the browser automatically populate the password field.

Recommendation

Any sensitive field, such as username, password, and any other data that must be protected through SSL encryption, should contain the option "autocomplete=off" in the HTML source.

Content for Community-Ad

Spotlight Awards 2021