fv Posted August 16, 2008 Report Share Posted August 16, 2008 Hi,I found out that when you setup an user for the WebUI, uTorrent saves the username and password in settings.dat. But when I saw that, I also saw something that I didn't like. The password stands plain in this file, this means that anyone who opens the settings.dat file, can see your password!!Now, I think it would be a better solution if the password is hashed (with sha1 or something simular). Hope this can be implemented?Frank Link to comment Share on other sites More sharing options...
Firon Posted August 16, 2008 Report Share Posted August 16, 2008 Yeah, it's something we could fix. But how many people are really going to have access to your settings file? And it's still going to be transmitted in plaintext (because it's basic HTTP auth). Link to comment Share on other sites More sharing options...
Ultima Posted August 18, 2008 Report Share Posted August 18, 2008 ?action=getsettings retrieves the password in plaintext for real, so having access to settings.dat isn't a must for others to possibly get a hand on the password. That's still a difficult chance for someone to steal, as the HTTP auth session breaks on browser exit, but still I agree with this suggestion, and do recall it being suggested before as well. Link to comment Share on other sites More sharing options...
Firon Posted August 18, 2008 Report Share Posted August 18, 2008 Hm, didn't think of that. Link to comment Share on other sites More sharing options...
thelittlefire Posted August 18, 2008 Report Share Posted August 18, 2008 Well, doesn't the token auth system take care of just randomly pulling ?action=getsettings on uTorrent clients? Link to comment Share on other sites More sharing options...
Firon Posted August 18, 2008 Report Share Posted August 18, 2008 Someone would have to do it from the authenticated session (they'd have to be on the logged in PC). Link to comment Share on other sites More sharing options...
Greg Hazel Posted August 18, 2008 Report Share Posted August 18, 2008 Fixed, thanks! Link to comment Share on other sites More sharing options...
Ultima Posted August 18, 2008 Report Share Posted August 18, 2008 The token system wasn't meant to prevent random pulling of settings and whatnot -- that's already handled (weakly) by basic HTTP auth. It was to prevent malicious websites from tricking users into changing the password (and/or whatever other things could be done via CSRF). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.