Url contains username and password în plain text

Question

Url contains username and password în plain text

savornicesei opened this issue 3 years ago · comments

Simona Avornicesei commented 3 years ago

Hi all,

When entering OpenSubtitiles credentials in Jellyfin, it redirects to

http://localhost:8096/web/index.html?username=<my_username>&password=<my_password>#!/configurationpage?name=Open%20Subtitles?username=<my_username>&password=<my_password>

where my_username and my_password are my credentials for OpenSubtitles.org, in plain text.

It seems they're kept in the url even if I leave the plugin page:

For security reasons they should not be passed in plain text and in the query string.

Jellyfin v10.7.5
OpenSubtitles plugin v10.0.0

Thank you.

uranderu · Answer 1 · Wed Jul 07 2021 10:34:36 GMT+0800 (China Standard Time)

I agree this maybe isn't the most clever design. However, there is a quick fix for this, enabling HTTPS :)

Simona Avornicesei · Answer 2 · Wed Jul 07 2021 15:20:08 GMT+0800 (China Standard Time)

That is not a fix 😄

Claus Vium · Answer 3 · Wed Jul 07 2021 15:41:07 GMT+0800 (China Standard Time)

Putting the password in the request body instead does not exactly stop sniffing attempts. Use HTTPS.