I have observed that iTop transmits usernames and passwords in plain text during login. This poses a security risk, as credentials could be intercepted by unauthorized parties.
I have observed that iTop transmits usernames and passwords in plain text during login. This poses a security risk, as credentials could be intercepted by unauthorized parties.
Hello, yes, like @jbostoen said, it's normal to see credentials in plaintext in the browser console. HTTPS (that should be used by iTop's instances) encrypts data in transit, so they’re only visible locally (e.g. not to someone listening on the network).
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have observed that iTop transmits usernames and passwords in plain text during login. This poses a security risk, as credentials could be intercepted by unauthorized parties.
POST /itop/web/pages/UI.php?login_mode=form HTTP/1.1
Host: *
Cookie: BIGipServeriTOP-Helpdesk=285281290.16415.0000; cookiesession1=678B2876E209540B935D11D954545A06; itop-cccc625803db2ea97734aa176e552d97=4vhnednargrrjpnto1s1hf295j Content-Length: 60 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="141", "Not?A_Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Origin: null Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u=0, i
Connection: keep-alive
auth_user=admin&auth_pwd=admin&login_mode=form&loginop=login
I have observed that iTop transmits usernames and passwords in plain text during login. This poses a security risk, as credentials could be intercepted by unauthorized parties.
POST /itop/web/pages/UI.php?login_mode=form HTTP/1.1 Host: $$$$$$
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u=0, i
Connection: keep-alive
auth_user=admin&auth_pwd=admin&login_mode=form&loginop=login
Last edit: Naveenkumar R 4 days ago
In a POST request? That's typical behavior for about every major platform (eg. even Microsoft online services).
Hi Jeffrey
Thank you for your prompt response and for clarifying.
Hello, yes, like @jbostoen said, it's normal to see credentials in plaintext in the browser console. HTTPS (that should be used by iTop's instances) encrypts data in transit, so they’re only visible locally (e.g. not to someone listening on the network).