Password can be seen using Inspect Element

Introduction
I am a Senior Developer in a Company and we recently tried the Passbolt Password manager. It seems good but there is an issue with the sharing of the passwords.

The Problem?
The issue with the Sharing of passwords is that when a user shares a password and the other user got access to that password. He can just use the password on the site using autofill.
But the real issue is that the second user will use the “F12” key and can change the type of Password field from “Password” to “Text” and can see what exactly the password is.

Why it is important?
It is important because we don’t want the user to see/check the password of the other user. He can just use that password to access the site and that’s it.
The issue can be a major thing if the user knows the password of the other user. He can easily change the password and no one will be known to this. (Let me know if I am wrong here because some Password Manager notifies you when the password is changed) but still that will too late to acknowledge.

For Example:
I have shared my password with a lot of people and someone just changed my password. I will not be known that which person changes that. And if I know and the person is out of contact for me. Then, what can I do to resolve the issue.

Solution
There are two solutions to this issue according to me:

  1. We can use the JavaScript whenever a user uses the autofill option. The autofill will automatically press the Enter key using the Enter key event.
  2. Most of the time the Login button uses the class “Submit” or “Login” in there code. So, whenever user uses the autofill option the button with the class Submit/Login will be pressed too.

In these ways, the user will not have the time to change the field using Inspect.

Please, let me know if anyone have a better solution to this.
I am open for suggestions.

Hello,

Yes this is a known behavior. This is why we were reluctant to implement the UI RBAC for this, as it is trivial to bypass. See. One Click Login, without seeing the text password - #6 by remy

Your proposed solution doesn’t solve the problem either, it would still be possible to view the data in clear in the console unter the network tab, clicking on the request, and select the payload tab, to view the data in clear.

The only way to solve this problem, would be to implement a proxy with deep packet inspection and replace the password there on the fly. This is the model used by Cyberark for example, but not something passbolt will implement (as we want to provide end to end encryption).

I hope this helps.
Best,

1 Like

Hi Remy,
Hope you are doing well.

Thanks for all the Clarification.
I was known that the solution will not work and the users can still use the Network tab to stop the execution of the JavaScript and can still see the password.

I have read the forums you have sent me and there is one solution you have said that is expensive and you are not going to implement that and also you not going to use the One Click Login (that is actually not a solution).

So, Actually as I have told you earlier that I am a Developer and we are hosting the PassBolt on our servers.
So, can you please let me know where the place you have the code for the Autofill option. Therefore, I am capable of altering that on my own.

It will be a great help. I have checked the code of the Browser Extension but can’t find the autofill functionality code.
If you help me and tell me where I can edit the code. So, that I can implement the code on my own side.

BTW, I have checked the site where the user can’t Right-Click and also can’t use F12.
The site address is:
https://moodle.evdokimos.edu.gr/login/index.php

You can check the site and I think this option can be our solution to the problem.

If you think that it will be a good solution or not.
I will love to hear your feedback on this.

Thanks for your time to reply.

Hi @remy,
Hope you are doing well.

I haven’t got any response from you.
I knew that you might be busy in other tasks and sorry to disturb you again and again.

Likewise, I will be happy to have your response on this ticket.

I have another thing to discuss with you.

Why don’t we have the Autofil Shortcut key. It will be a lot of time saving process. I know that there is a feature request related to this but there is no update for quite a long time.

As much as I’d like to help you, even though I think it’s not a good idea (one can still open the dev tool using the regular menu), I’m not sure exactly what changes needs to be done where to implement what you want. Stuffs like disabling F12 and right click, would probably need to be done in one of the script that is injected in every page, like this one. All the visible components are actually part of the styleguide, which the browser extension uses, so I would look there for front-end shenanigans.

There was talk about it, I think we should create a feature request for this. Feel free to create one. Ref. Firefox keyboard shortcut missing

Hi @remy ,
Thanks for the help.

As, you have said that you might not be the correct person to ask the placement of the code.
Can you tell me someone whom I can contact and can get help.

Please, let me know.

Thanks,

Hi @SyedToheed !

You can start to check there if you wish passbolt_styleguide/src/react-web-integration at master · passbolt/passbolt_styleguide · GitHub

However, I would like to highlight again that as every users have their private key and an access to the password encrypted, they are always able to decrypt it manually even though it can be difficult for some users.

Also, I’m not sure to fully understand the problem you mentioned. Do you mean changing the password registered in your Passbolt instance or on the service you wish to sign-in?
Because I don’t know how you can prevent a signed-in user to change a password of the service it signed on with an auto-submit. There are maybe some cases I don’t know of course but, a usual password change process (like inputing the current password and inputing twice the new password) won’t be blocked this way.
Otherwise, if it’s about preventing a user from changing a password in your Passbolt instance, then there are ways to do that by selecting the right share permission.
Hope it can helps

Hi @Steph ,
Hope you are doing well,

Seriously, thanks for your time for the response.

Actually, the post wasn’t related to changing the password.
It was actually meant to be that
the user can’t see the password if the password is shared to them.

I know there will still be possibilities but I want to correct the ones that come in front of me.
Currently, that is the Inspect Element that changes the Password field to text field.

And, thanks for sharing the link. It looks very helpful to me.

If you have any ideas. I will love to hear them.

Warm Regards,

Just to add an element.
https://moodle.evdokimos.edu.gr/login/index.php
if you put the DevTools in detached mode, you can interact with the DOM.