[Koha-bugs] [Bug 33253] New: 2FA - Form not excluded from autofill
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Mar 16 17:52:28 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33253
Bug ID: 33253
Summary: 2FA - Form not excluded from autofill
Change sponsored?: ---
Product: Koha
Version: 22.05
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5 - low
Component: Staff interface
Assignee: koha-bugs at lists.koha-community.org
Reporter: tech.sam at salinapublic.org
QA Contact: testopia at bugs.koha-community.org
CC: gmcharlt at gmail.com
I've been testing the 2FA module in our install, working great so far, but I
noticed the authentication form field is not marked to be excluded from auto
completion. Because of this, after several weeks of use, every time I click on
the field, I see a list of all prior authentication codes used. This might be
possible to be used in an attack to reverse-engineer the secret key using past
codes and when they were entered. Even if that isn't the case, it means
browsers are saving loads of unnecessary data that is one-time use.
Information on how to disable auto completion in form fields can be found here:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list