- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 11.05.2025
Last edited by cbay - 13.05.2025
FS#170 - Insecure Cache-Control Leading to View Email and Password.
# Insecure Cache-Control Leading to View Email and Password in https://webmail.alwaysdata.com/?from_roundcube=1.
Hello Team, I hope you are doing well. While, Researching in your domain I found Insecure Cache-Control Leading to View Email and Password in https://webmail.alwaysdata.com/?from_roundcube=1.
# Steps to Reproduce:
1. Login to https://webmail.alwaysdata.com/?from_roundcube=1.
2. Visit every Pages in https://webmail.alwaysdata.com/?from_roundcube=1 after the login.
3. Logout from the account.
4. Click Back Button 9 to 10 times.
5. You can get your email and password in the Login form. ( Toggle to See the Password)
# Impact:
In a PC scenario in an office or in a library or in a coffee shop or such places allow for an attacker to exploit this vulnerability (since the amount of pages visited after visiting doesn't matter). Also it is very easy to get access to a laptop, so this is a likable scenario, and once it happens the attacker has full control over the victim's app data since he/she can use the account.
# Note:
Tested in Chrome latest version, Mobile Device.
Doesn't exploitable in FireFox.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Watch this Video: https://www.dropbox.com/scl/fi/ppfvss0ejd5hvz8fmgzl7/bandicam-2025-05-12-00-20-57-080.mp4?rlkey=fr9zy8d26v1lowphrdc98xt5c&st=krgasw2f&dl=0
Hello,
If the email and password fields are filled, it's because of your browser autocompletion. They are never filled server-side.
Kind regards,
Cyril
I would recommend you should test it at your side, I removed all history and cache and then test it on Google, My mobile device and Internet Explorer this vulnerability is occurring. Test it your side, you get that.
Sir, you are saying my browser are auto filling right, so what about https://admin.alwaysdata.com/login/?next=/, the browser doesn't working for https://admin.alwaysdata.com/login/?next=/ auto filling.
I also tested in my friend laptop, that is occurring, I would recommend you to open this ticket and you have to fix it.
Any Update??
I strongly believe it's not a vulnerability on our side (it's just how Chrome in particular handles bfcache), but we've tweaked Cache-Control nonetheless to prevent Chrome from restoring form controls in that case.
You can claim a (small) bounty by opening a support ticket.
Thanks!
Cyril
I would recommend you should test it at your side, I removed all history and cache and then test it on Google, My mobile device and Internet Explorer this vulnerability is occurring. Test it your side, you get that.