Cleartext Storage of Sensitive Information (CWE 312)


Classified as non-critical

Discovery description

When using the Web Client, users remain logged in and the data in the Local Storage even after closing the browser tab or closing the browser. If a user does not log out, an uninvolved third party who has access to the user’s PC can gain access to the data in the browser’s Local Storage by calling up the browser again.

Assessment of the developer

The manufacturer considers this procedure to be uncritical because it requires access to the user’s PC, and the private key in the local storage is encrypted. However, to cover these scenarios as well, the web and desktop clients as of version 3.10.0 contain an additional button in the login view area that must be used to confirm the permanent login. This field is not preselected and must be proactively selected by the user. Only if the user selects this field, he remains permanently logged in. Otherwise, when the browser tab is closed, the browser is closed or the desktop client is closed, the user is automatically logged out and the data in the local storage is deleted. Careless use of the web client by a user thus makes it impossible for a third party to obtain the Session_ID.