Are passwords revealed in gallery source code?

teknofile

Hey all, I was looking at the source code for one my client gallery pages and noticed a line about halfway down the code page referring to the slideshow button where both the gallery password and the password I use to secure my SmugMug homepage is revealed. It looks something like this:

// Slideshow button
SM.buttons.slideshowButton = new SM.buttons.slideshow('altViews','slideshowButton',{"slideshowDiv":"fsssButton","flashVars":{"albumPass":"XXXXXX","sitePass":"XXXXXX"},"galleryInfo":{"galleryType":"Album","userNickName":"XXXXXX","albumId":14380558,"albumKey":"BcwzQ"}});

The Xs are the different passwords and my account name. BTW, I don't have a slideshow button enabled on my page (or at least one I can see). Does anyone else have this problem? I'd be pretty upset if one of my clients was able to see my password and look at other client galleries.

jfriend

Wow. That seems like a bad design decision. I see the same thing when inspecting one of my password protected galleries.

On the other hand, it isn't really a full-on security breach because you can't get to this page without already knowing the password. So, it isn't revealing anything that you didn't already know in order to get there.

But, it seems like a poor design to put a password in the actual source of the page. That means it's sitting around in browser caches too where others could snoop on it.

teknofile

jfriend wrote: »

Wow. That seems like a bad design decision. I see the same thing when inspecting one of my password protected galleries.

On the other hand, it isn't really a full-on security breach because you can't get to this page without already knowing the password. So, it isn't revealing anything that you didn't already know in order to get there.

But, it seems like a poor design to put a password in the actual source of the page. That means it's sitting around in browser caches too where others could snoop on it.

It is a breach because for my SmugMug homepage I have one password (so clients can't browse or see other galleries) and each of the individual galleries has its own password. Both passwords are revealed in my case.

jfriend

teknofile wrote: »

It is a breach because for my SmugMug homepage I have one password (so clients can't browse or see other galleries) and each of the individual galleries has its own password. Both passwords are revealed in my case.

I don't understand how you're using passwords so I can't comment on your site, but how does a user get to a page that they haven't already entered the password for? There is no such thing on Smugmug as a password that gets you access to just part of a Smugmug site (other than a single gallery).

teknofile

jfriend wrote: »

I don't understand how you're using passwords so I can't comment on your site, but how does a user get to a page that they haven't already entered the password for? There is no such thing on Smugmug as a password that gets you access to just part of a Smugmug site (other than a single gallery).

Simple, if you go to http://www.terencepatrick.net (my SmugMug page), you will be asked for a password before entering the main gallery page. From there, each of the individual galleries have their own password. But if I link clients to their specific gallery only, they will only need to enter that gallery's password. If they decide to go to the root of the site (the .net), they'll be asked for my main password. Unfortunately, the source reveals both passwords.

jfriend

teknofile wrote: »

Simple, if you go to http://www.terencepatrick.net (my SmugMug page), you will be asked for a password before entering the main gallery page. From there, each of the individual galleries have their own password. But if I link clients to their specific gallery only, they will only need to enter that gallery's password. If they decide to go to the root of the site (the .net), they'll be asked for my main password. Unfortunately, the source reveals both passwords.

Hmmm, I didn't know that a link to a password protected gallery doesn't prompt for the site password. I can now see why this is an issue for you.

You should report this issue in the bug reporting forum.

Andy

jfriend wrote: »

You should report this issue in the bug reporting forum.

No need. We're looking at this right now.

rainforest1155

And to clarify, as far as I know no gallery password that hasn't been entered by the visitor already gets revealed. Visitors can only see the gallery password for the gallery they entered the password for in the first place.

jfriend

rainforest1155 wrote: »

And to clarify, as far as I know no gallery password that hasn't been entered by the visitor already gets revealed. Visitors can only see the gallery password for the gallery they entered the password for in the first place.

But, he's saying that the site password is being revealed to people who have only entered a gallery password. And, it's also bad form to put a gallery password into content that is often cached.

Andy

jfriend wrote: »

But, he's saying that the site password is being revealed to people who have only entered a gallery password. And, it's also bad form to put a gallery password into content that is often cached.

It's a bug - been fixed internally this morning and we'll get it on the live site as fast as we humanly can, thanks!

jfriend

Andy wrote: »

It's a bug - been fixed internally this morning and we'll get it on the live site as fast as we humanly can, thanks!

Which issue is being fixed? The revealing of the site password or the inclusion of the gallery password in plain text or both?

bstrong

jfriend wrote: »

Which issue is being fixed? The revealing of the site password or the inclusion of the gallery password in plain text or both?

Both.

jfriend

bstrong wrote: »

Both.

Great.

hackmann

woot! Security. I like security!

teknofile

Thank you Andy & the rest of the SmugMug team!