Apigee Developer Portal Kickstart 9.5.11 version - Not Encrypting client credentials from client browser to network

[mnimakwala]

Description

We have installed Apigee Developer Portal Kickstart version 9.5.11. We have observed that this module does not do encryption of user password when request is traveling from user's browser to network. At network we have enabled TLS so it request is encrypted. This leaves us in a situation to a vulnerable product. Can we enable encryption. If yes please guide. If not please share valid reason. Any plan for future releases?

Apigee Info

We are using Apigee OPDK version 4.52.00.

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to 'Drupal login page'
2. Enter "User id and Password"
3. Click on 'Login button'
4. Click on browser's 'More Tools > Developer tools > Network > Payload'

Actual Behavior

User password in plain text is visible in Payload option.

Expected Behavior

User password is expected to be visible in encrypted format.

Screenshots

NA

Notes

In any compliance driven industry this kind of behavior is prone to vulnerable

Version Info

Apigee Developer Portal Kickstart version - 9.5.11
Apigee version - 4.52.00

If any more details required please ask.

Thanks,
Mustufa

[kedarkhaire]

Hi @mnimakwala

Thanks for bringing this to our eyes, we will have a internal discussion on it and will update here.

[mnimakwala]

Hi Kedar,

Thanks for picking this up. We are eagerly looking for solution to this issue.
Awaiting your quick response on this.

Thanks,
Mustufa

[kedarkhaire]

Hi @mnimakwala

To be very clear, this issue occurs on all Drupal versions, I checked.
I will address this issue on our next to next release, I have added in our queue, but many things are in process, so it will take some time.

In the mean time, if you are having solution for this issue, we are open for your contribution on this.

Thanks!

[mnimakwala]

Hi Kedar,

Thanks for your quick update.
Few questions I have:

1. we have tried Encrypt and Password Encrypt module but it didnt encrypt user password. It is giving error message "Multiple Encryption of Password in User Profile form which lead to user unable to login next time." This error is not allowing us to login. Unfortunately we have to remove this module. Is this module is advisable to use in production? How can we rest assure community has given go ahead for modules to be use in Production system?
2. We refer below url which has mentioned solution. Dont know whether any one has implemented or not? Is this something we can try out? We also need to see encryption method has latest AES-256 used for production graded module?
   https://durpal.stackexchange.com/questions/217952/how-do-you-force-drupal-login-to-encrypt-the-credentials
   https://drupal.org/project/drupal/issues/3478977
3. As you have mentioned you have addressed this issue in next to next release. Can we know is it evaluated and added to release? What is estimated ETA for this?

Awaiting you quick response.

Thanks,
Mustufa

[kedarkhaire]

Hi @mnimakwala

For 1st - Using Drupal forms also provide same output, if you can see the user module is still in use with the points you mentioned.

For 2nd - The 1st link is not working - so cannot refer the point & for your issue, Jay has already created the issue on Drupal core module 'user', so if it the changes are added by Drupal community there, we can also test the same in our forms.

For 3rd - I wanted to say that, we can consider for next to next release, but currently there is no solution resolution present for it, so it is not yet evaluated for grooming also. Once we achieve that, then with proper solution, it will be discussed here.
Apologies, I used the release word earlier, that caused a misunderstanding for it.

Thanks!