Support » Plugin: Migration, Backup, Staging - WPvivid » security issue on remote storage credentials

security issue on remote storage credentials

  • Resolved Tanvir Roky

    (@tanvirroky)


    1 year, 5 months ago

    If I configure and save an FTP/SFTP account, the credentials can be seen easily from the storage provider setting. If I give someone admin access for any development purpose they can see those data easily. If I use the same server on multiple websites for backup, someone with access to one site can get the credentials and access to another website’s backup files. This might be the same on Amazon and DigitalOcean accounts. I haven’t tried.
    So my suggestion is, do not show the FTP server username and password in the setting. Instead, add a button to edit the information (with empty input fields) if someone wants to reconfigure. Even previous username and password should not display when editing.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 5 months ago

    Hello @tanvirroky

    Thanks for your feedback.

    The passwords for all the cloud storage are already encrypted(not in plain text) on the storage adding and editing page, please see the screenshot. And they are also encrypted in the website databases where they are stored.

    All the best,

    Thread Starter Tanvir Roky

    (@tanvirroky)

    1 year, 5 months ago

    😲 you call this encrypted? It can be shown as plain text just by changing the type to text from inspect element option of any browser. It’s just hidden by CSS. https://snipboard.io/jDefmY.jpg
    Also not encrypted in the database. https://snipboard.io/1SBWKc.jpg

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 5 months ago

    Hi @tanvirroky

    Thanks for your update.

    In that case, your suggestion would be a nice solution. Let us discuss and implement it.

    The password is encrypted in the database, as you can see in this screenshot, the password in the screenshot is not the real password, it has been encoded. Is the one in your screenshot the real password?

    All the best,

    Thread Starter Tanvir Roky

    (@tanvirroky)

    1 year, 5 months ago

    Thanks for your concern.
    Yes, the password is in plain text in the database in both of my screenshots (?%_______%%). The screenshot you shared is also showing in plain text i guess. One more thing, If the password is encrypted oneway in the database how could it be used next time when need to connect. Encryption on database is not nessacery i thing. You can add a function to ask FTP password/access key when retrieving a backup file from the remote server or trying to download it. Because if password is not encrypted and someone downloads the backup file and restores it on another host, they can get the FTP information there. Asking FTP password to retrieve or download backup file will be another level of security.

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 5 months ago

    Hi @tanvirroky

    Sorry that after checking it with our developers, I realized that it has not implemented in the free version yet(the screenshot I sent you was from the pro version). So, let us discuss and implement it as well.

    The password in my screenshot is in plain text but has been encoded, therefore is not the real password, for example, the real password is 123 while in the database it has been encoded to 6789. It does not affect next connection.

    All the best,

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 5 months ago

    Hi @tanvirroky

    After discussing it, we have decided to implement your suggestion of ‘do not show the FTP server username and password in the setting’. Also we have decided to implement encryption of the storage password in database in the next few versions.

    Thanks again for your suggestions to help improve the plugin.

    All the best,

    Thread Starter Tanvir Roky

    (@tanvirroky)

    1 year, 5 months ago

    Thanks a lot.

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 4 months ago

    No problem and thanks again!

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 4 months ago

    Hi @tanvirroky

    The new version 0.9.72 is ready. In the new version, we have implemented the features you suggested, you can update the plugin and check it out.

    All the best,

    Thread Starter Tanvir Roky

    (@tanvirroky)

    1 year, 3 months ago

    Thank you so much

    Plugin Support tonyrobins

    (@tonyrobins)

    1 year, 3 months ago

    No problem.

    All the best

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘security issue on remote storage credentials’ is closed to new replies.

Views