Minor security issue / login bug


#1

When a customer tries to create an account with a password that starts with ‘$2’ he will not be able to access the account.

Also, the password will be stored in clear text. That is a security risk if the customer is using the same password for other accounts. Someone with access to the database will be able to see the password and get into user’s accounts.

The cause of the problem is the condition of the getEncodedPassword method from Customer class.


#2

Hello Florin,

Thanks for reporting the issue. We’ve added it to our backlog and will include a fix for it in one of future releases of Spryker Core.


Regards,

The Forum Team


#3

Can you elaborate a bit on this topic? I’m completely new to Spryker but reading this scares me. Password in plaintext? Really?


#4

Hello,

The password is stored in clear text only when it begins with $2. We are aware of the problem and will provide a fix for it. In all other cases, the password will be encrypted, of course.


Regards,

The Forum Team


#5

Hi @florin,

In the latest version of spryker/customer there is no such an issue. Please update.

WBR,
Valerii


#6

Good to know that is was only related to this special case, and even better to know that it is fixed!

Thanks