Meraki

Community

Password reveled on dashboard

CGS
New here
‎Jul 30 2020 4:52 PM
‎Jul 30 2020 4:52 PM

Password reveled on dashboard

Not sure if there are others who've seen this issue but I believe this needs to be fixed.

 

I use Firefox for accessing the dashboard and when browsing to a page that has a hidden password & then browse away. Firefox gives me a pop-up asking me if I want to save the credentials. The funny thing is the password comes up in the username section unencrypted.

 

Follow the steps below and post here if you see the same

1. Navigate to Wireless>SSIDs

2. Select edit settings on a configured SSID

3. Now navigate to somewhere else, eg Switch>Switches

4. You should now get a pop-up to save your credentials with your password in the username section

 

Not sure what I did, but I also received a pop-up with my account password in the username section. I'll update it here if I find out where i had navigated to.

 

0 Kudos
7 Replies 7
CGS
New here
‎Jul 30 2020 4:56 PM
‎Jul 30 2020 4:56 PM

Alright found where my account password gets revealed the same way.

 

Follow the steps and update if yours pops up as well

 

1. Navigate to Organization>Settings

2. Then navigate to lets say Organization>Administrators

3. You'll get a pop up asking to stay or leave, click leave

4. You should now see your account password in the credentials pop-up.

0 Kudos
In response to CGS
Gumby
Getting noticed
‎Jul 30 2020 6:37 PM
‎Jul 30 2020 6:37 PM

"Navigate to Organization>Settings"

 

You sure this is your account password and not SNMPv3 password?

 

Personally, it seems to be a strange way for firefox to be wanting to save passwords, every other system I've used only triggers on a form submit.  I wouldn't say it in inherently insecure, as the pages have a 'show key' button anyhow, unless it is showing the password when someone doesn't have the 'show key' button.

0 Kudos
In response to Gumby
CGS
New here
‎Jul 30 2020 8:11 PM
‎Jul 30 2020 8:11 PM

Yea I am 100% sure that it is the wireless password and my user account password (which doesn't have the show password option)

 

Have you tested this yourself?

0 Kudos
In response to CGS
antonis_sp
Building a reputation
‎Jul 30 2020 11:35 PM
‎Jul 30 2020 11:35 PM

This actually happens.

Once Chrome autofilled my account password in the SSID WPA2 psk passphrase.

 

What fun that was, changing the psk key on a country-wide deployment...

Just disable form and pass autofill on the dashboard page (browser setting). I don't think it's the dashboard implementation that is the problem, rather than the browser filling in info where it shouldn't.

In response to antonis_sp
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 31 2020 12:05 AM
‎Jul 31 2020 12:05 AM

Simple solution: use a real password manager. The built-in ones into browsers are flawed by design. There are enough examples for that, e.g. https://www.anti-malware.name/news/vulnerability-in-firefox-password-manager/

In response to CptnCrnch
GaryShainberg
Building a reputation
‎Jul 31 2020 5:18 AM
‎Jul 31 2020 5:18 AM

I agree with @CptnCrnch I use 1Password which does the job very well

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 1 2020 4:35 PM
‎Aug 1 2020 4:35 PM

Yeah that is annoying how browsers do that.

 

Many browsers have an option to disable auto-suggest for a URL.  Find that option and enable it for the Meraki shard you are on.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.