Skip to content

Cleartext Machine Key

What does this mean ?

The application saves sensitive data in cleartext within a resource that could be accessed by another control sphere.

What can happen ?

Because the data is stored in cleartext, attackers may be able to read it. Even if the information is encoded in a non-human-readable format, certain approaches may be able to establish which encoding is being used and then decode the information. This has been the most prevalent and damaging attack in recent years. The most common problem is that sensitive data is not encrypted.

Recommendation

  • The user's username and password should not be stored in plaintext in a cookie on the user's workstation.
  • Before writing to a buffer, the software should encrypt the data.
  • Username and password information should not be placed in plaintext in a configuration or properties file, as this will give anyone who can read the file access to the resource.

Sample Code

Vulnerable :

...
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" />
</connectionStrings>
...

Vulnerable :

# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
...

Vulnerable :

function persistLogin($username, $password){
  $data = array("username" => $username, "password"=> $password);
  setcookie ("userdata", $data);
}

Vulnerable :

const express = require('express');
const app = express();
app.get('/remember-password', (req, res) => {
  const pw = req.param("current_password");
  // Vulnerable
  res.cookie("password", pw);
});

Non Vulnerable :

const express = require('express');
const crypto = require('crypto'),
password = getPassword();

const encrypt = (text) => {
  var cipher = crypto.createCipher('aes-256-ctr', password);
  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
}

const app = express();
app.get('/remember-password', function (req, res) {
  const pw = req.param("current_password");
  // Non Vulnerable
  res.cookie("password", encrypt(pw));
});

References