Peter Chen created FINERACT-2129:
------------------------------------
Summary: Storage of Sensitive Information in a Cookie
Key: FINERACT-2129
URL: https://issues.apache.org/jira/browse/FINERACT-2129
Project: Apache Fineract
Issue Type: Bug
Components: Client, Security
Reporter: Peter Chen
h2. Description
The application stores sensitive information (User credentials) in a cookie
using base64 encoding.
h2. Reproduction Steps
1- Login at https://openmf.github.io/web-app/ or https://demo.mifos.io with
following credentials:
`mifos: Secure@123`.
2- Now intercept any of the request and base64 decode the {{Authorization}}
header.
*Encoded:* `{{{}bWlmb3M6U2VjdXJlQDEyMw==`{}}}
h2. Remediation Advice
Sensitive information should not be stored using weak encoding algorithm in a
cookie.
*Decoded:* `{{{}mifos:Secure@123`{}}}
h2. Impact Details
An attacker can fetch the cookies via MiTM attack and access the victim account
using the credentials being stored in the cookie.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
