01-12-2015 06:30 AM - edited 03-18-2019 03:53 AM
Hello,
Is it possible to disable auto-complete for the Cisco Codec C40 sign-in page? I'm unable to find anything in the settings via GUI, so I'd like to know if it's perhaps a software issue (currently TC7.1.2.a996098) or if it's even possible at all.
Thanks,
Andrew
01-12-2015 08:16 AM
I've never had the codec login page remember the username or password, unless I saved them in the browser. What happens if you clear your browsers cache and/or saved passwords?
01-12-2015 09:17 AM
Hi Patrick,
Thanks for your response. I'm hoping to find a server-side solution to this issue. I know it can be controlled by an HTML attribute, at least. The browser functionality you mentioned works as it should; if I tell it not to save, it won't. But this issue was brought to light as a result of a penetration test and I'd like to find a backend solution so that, even if a user has auto-complete/password saving turned on, the page will not allow it.
Thanks,
Andrew
01-12-2015 09:21 AM
Ah, I see what you're after. I don't know if that's possible, it's typically the browser that detects username/password was used on a website, and prompts the user, not the website. Might have to edit the organizations web browser configuration to prevent the saving of passwords.
01-12-2015 05:29 PM
Have you tried updating the software on your endpoint to a more recent version?
I've noticed on a number of mine on different, more recent versions (TC7.1.4 TC7.2.1, TC7.3.0), the endpoint does not seem to ask, or remember the username or password on the browser login screen, so perhaps this "feature" has already been implemented, just not in the old version you are running.
Note: you should upgrade to at least TC7.2.1 to fix security vulnerabilities such as the avisory notice for Bash: cisco-sa-20140926-bash
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Please remember to mark helpful responses and to set your question as answered if appropriate.
01-13-2015 07:21 AM
I think you're right Wayne.. almost. I just tested logging into a codec running TC software with IE, Firefox, and Chrome. All but Chrome didn't prompt me to save the login details. Each of my browsers have that capability enabled.
So it might be an undocumented "feature" as Wayne says, or it could be how the website is presenting the login in which IE and Firefox didn't prompt me, yet Chrome did.
01-14-2015 04:08 AM
Hi Wayne,
I'll be upgrading tomorrow night. I'll let you know if it works!
Thanks,
Andrew
01-16-2015 06:53 AM
I upgraded to TC7.3.0 and both Firefox and Chrome are still able to autofill the passwords.
Alas, the fix appears to be an edit to the html code of the sign-in page. From our audit:
Number | Finding | Risk Level | |||||
1 | Authentication Form Field Auto-Complete | MEDIUM (5/10) | |||||
Category | |||||||
Authentication | |||||||
Description | |||||||
The application's authentication form's fields have auto-completion enabled. The auto-completion feature allows a user's browser to store the username or password locally without any enforced security controls, such as encryption.
| |||||||
Applications Impacted | |||||||
<redacted> | |||||||
Impact | |||||||
Usernames and passwords are typically protected in transit with SSL, and protected at rest on the backend with encryption or one-way hashing. However, with auto-completion, a user's username or password can be stored locally without any protection.
Also, if an attacker gains access to the user's web browser, the username or password can be compromised or unauthorized access can be gained without knowledge by letting the browser automatically populate the password field. | |||||||
Recommendation | |||||||
Any sensitive field, such as username, password, and any other data that must be protected through SSL encryption, should contain the option "autocomplete=off" in the HTML source. |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide