password fields are visible thanks to "set default"
Bug #1015092 reported by
Antoine(OpenERP)
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Medium
|
OpenERP Publisher's Warranty Team |
Bug Description
On your database
1. load a module with password fields (like import_google)
2. Set information on user form like login and pass of google
3. If you have access to "set default", e.g as an admin, you potentially have access to all the google accounts of your members.
I don't know if it's specifically the import_google or the webclient in general that should be checked, but I think it's a security issue.
Related branches
lp:~openerp-dev/openerp-web/trunk-bug-1015092-aja
- OpenERP Core Team: Pending requested
-
Diff: 12 lines (+2/-1)1 file modifiedaddons/web/static/src/js/view_form.js (+2/-1)
affects: | openerp-web → openobject-server |
Changed in openobject-server: | |
assignee: | nobody → OpenERP Publisher's Warranty Team (openerp-opw) |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in openobject-server: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
Hello Antoine,
moreover, in general it's also against the Term Of Service of Google to build a web application that ask Google account and store the password somewhere. Google recommend using OAuth instead, that is asking to login if session has expired, getting a token to perform the operations, but NOT storing the Google password. So even if they fix this gross bug, anybody with access to the database or to the code would still too easily rip all employee's passwords.