Author Topic: passwords sent in clear text  (Read 3973 times)

Offline ralf223

  • Newbie
  • *
  • Posts: 4
passwords sent in clear text
« on: February 15, 2017, 06:19:21 PM »
Hello -

After logging in to Roundcube (0.7), my password remains visible in plain text (!) in the browser history. Even days later, someone can potentially log into my account by typing a single letter into the browser's URL field. They can also retrieve my email address and password.

Is this normal, or does my mail administrator (tuffmail.com) have Roundcube configured wrong somehow? Has this been addressed in a later release?

Thanks for any advice,
RB

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: passwords sent in clear text
« Reply #1 on: February 15, 2017, 11:43:44 PM »
Wow, thats bad on so many levels.

1. Password remains visible in plain text in the browser history
This is a Tuffmail problem. You'll notice the file is "rclogin-2.php" that isn't a Roundcube file its something that Tuffmail has built. Badly.

2. Roundcube (0.7)
It seems that Tuffmail offers two version of Roundcube, both of which are extremely out of date with known security vulnerabilities
0.7.2 - released March 11, 2012 (nearly 5 years out of date)
0.5.3 - released June 02, 2011 (over 5 and 1/2 years out of date), and not even the last release in the 0.5.x branch

Needless to say I'd recommend switching providers ASAP!

Offline ralf223

  • Newbie
  • *
  • Posts: 4
Re: passwords sent in clear text
« Reply #2 on: February 16, 2017, 10:26:13 AM »
Thanks for the prompt reply - that's very helpful. Will follow up with Tuffmail.

And thanks also for a great mail client!

RB