Jump to content

Hashed WebUI Passwords


fv

Recommended Posts

Hi,

I found out that when you setup an user for the WebUI, uTorrent saves the username and password in settings.dat. But when I saw that, I also saw something that I didn't like. The password stands plain in this file, this means that anyone who opens the settings.dat file, can see your password!!

Now, I think it would be a better solution if the password is hashed (with sha1 or something simular). Hope this can be implemented?

Frank

Link to comment
Share on other sites

?action=getsettings retrieves the password in plaintext for real, so having access to settings.dat isn't a must for others to possibly get a hand on the password. That's still a difficult chance for someone to steal, as the HTTP auth session breaks on browser exit, but still :P

I agree with this suggestion, and do recall it being suggested before as well.

Link to comment
Share on other sites

The token system wasn't meant to prevent random pulling of settings and whatnot -- that's already handled (weakly) by basic HTTP auth. It was to prevent malicious websites from tricking users into changing the password (and/or whatever other things could be done via CSRF).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...