Password reveled on dashboard

CGS
New here

Password reveled on dashboard

Not sure if there are others who've seen this issue but I believe this needs to be fixed.

 

I use Firefox for accessing the dashboard and when browsing to a page that has a hidden password & then browse away. Firefox gives me a pop-up asking me if I want to save the credentials. The funny thing is the password comes up in the username section unencrypted.

 

Follow the steps below and post here if you see the same

1. Navigate to Wireless>SSIDs

2. Select edit settings on a configured SSID

3. Now navigate to somewhere else, eg Switch>Switches

4. You should now get a pop-up to save your credentials with your password in the username section

 

Not sure what I did, but I also received a pop-up with my account password in the username section. I'll update it here if I find out where i had navigated to.

 

7 REPLIES 7
CGS
New here

Alright found where my account password gets revealed the same way.

 

Follow the steps and update if yours pops up as well

 

1. Navigate to Organization>Settings

2. Then navigate to lets say Organization>Administrators

3. You'll get a pop up asking to stay or leave, click leave

4. You should now see your account password in the credentials pop-up.

Gumby
Getting noticed

"Navigate to Organization>Settings"

 

You sure this is your account password and not SNMPv3 password?

 

Personally, it seems to be a strange way for firefox to be wanting to save passwords, every other system I've used only triggers on a form submit.  I wouldn't say it in inherently insecure, as the pages have a 'show key' button anyhow, unless it is showing the password when someone doesn't have the 'show key' button.

Yea I am 100% sure that it is the wireless password and my user account password (which doesn't have the show password option)

 

Have you tested this yourself?

antonis_sp
Building a reputation

This actually happens.

Once Chrome autofilled my account password in the SSID WPA2 psk passphrase.

 

What fun that was, changing the psk key on a country-wide deployment...

Just disable form and pass autofill on the dashboard page (browser setting). I don't think it's the dashboard implementation that is the problem, rather than the browser filling in info where it shouldn't.

Simple solution: use a real password manager. The built-in ones into browsers are flawed by design. There are enough examples for that, e.g. https://www.anti-malware.name/news/vulnerability-in-firefox-password-manager/

GaryShainberg
Building a reputation

I agree with @CptnCrnch I use 1Password which does the job very well

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
PhilipDAth
Kind of a big deal

Yeah that is annoying how browsers do that.

 

Many browsers have an option to disable auto-suggest for a URL.  Find that option and enable it for the Meraki shard you are on.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.