Security Incident - User attribute values shown in the plain text in the Developer Tools
search cancel

Security Incident - User attribute values shown in the plain text in the Developer Tools

book

Article ID: 270985

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

We have a critical security incident in the Identity Portal on our TEST server.


The new Module "Database Passwords" has been added to the IDP - it's for changing passwords.


If I go to the Tasks and open Developer Tools, the web service returns back the whole dataset - passwords are shown in plain text.

Environment

Release : 14.4

Cause

Customers created IM user store attributes where they stored database passwords for users.

These attributes were also added to Setup - Managed Object Attributes - User attributes.

 

 

Resolution

The issue should be resolved after removing attributes related to Oracle passwords from

Setup - Managed Object Attributes - User attributes.

This prevents them from being obtained by IP from IM and being visible in the Network tab.

Also, they should be marked as shown below in the form:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=QmFqNtFAPAJrwBFetBctkg==

Additional Information

Any attribute value that should be stored but not visible to user should be marked as sensitive in IM userstore.

In addition it may be encrypted.