Bug#817186: Boobank reveals hidden password

[Cyril Brulebois]

Control: forwarded -1 https://symlink.me/issues/945
Control: tag -1 patch fixed-upstream
Control: severity -1 important

Hi Bertrand,

Just passing by, wondering about weboob's state and why it isn't in
testing, I've just noticed this RC bug.

Bertrand Marc  (2016-03-08):
> Package: weboob
> version: 1.1-1
> Severity: serious
> 
> Dear developper,
> 
> In the case you configure two backends with boobank, storing the login
> but asking for the password (see attached configuration), boobank
> reveals the second password.
> 
> when you call list, the display is messed up as both backends require a
> password on the same line. To login with success, you need to enter the
> first password (hidden), then validate, and enter the second password
> (not hidden anymore).

I've just checked with upstream, it seems this is already fixed in git
after 1.1 (but no 1.2 release yet); they seem to consider the current
severity a bit too high, so I'm adjusting it along with setting various
tags.


KiBi.


signature.asc
Description: Digital signature

Bug#817186: Boobank reveals hidden password

[Bertrand Marc]

Package: weboob
version: 1.1-1
Severity: serious

Dear developper,

In the case you configure two backends with boobank, storing the login
but asking for the password (see attached configuration), boobank
reveals the second password.

when you call list, the display is messed up as both backends require a
password on the same line. To login with success, you need to enter the
first password (hidden), then validate, and enter the second password
(not hidden anymore).

Best regards,
Bertrand
[boursorama]
_module = boursorama
device = Boobank
pin_code = 
login = 
password = 
enable_twofactors = True

[banquepopulaire]
_module = banquepopulaire
website = www.ibps.loirelyonnais.banquepopulaire.fr
login = XX
password = 



signature.asc
Description: OpenPGP digital signature