Darrik Spaude.
Chris BinghamNoticed in Faxfinder 3.2.7 that when a user goes to the ‘Fax Servers’ section and Edits a fax server, the password is auto-populated. What’s more is that they can hit Show Password and the password is fully visible.
This has a number of bad implications but for our company the primary concern is that we’re using AD credentials to log in, and this means that Faxfinder 3.2.7 allows for potential access to obtain a user’s domain credentials.
Seems like a fairly large security concern to me, as while we do our best to try to educate users as to the dangers of leaving their PC unlocked when they aren’t at their desk, there’s always that time where they forget or mean to be gone for a few seconds but get caught up in a discussion with someone, etc.
Darrik SpaudeHi Chris,
Your concern was passed to our development group, but there hasn’t been a decision on what they would like to do. While the password is being passed to the client, there is an option to use SSL (enabled by default). However, as you stated, if someone had access to the PC then they could obtain the credentials. The interim solution is to urge employees to practice secure habits (e.g. locking the screen when walking away), but probably don’t describe why they should do that (e.g. someone could open up Application XYZ, click on this or that, show password, etc.).
I think our ideal solution would have to be that we don’t allow the password to be shown and don’t send the password itself to the client either.
Darrik SpaudeHi Chris,
The FaxFinder server firmware that has this password reveal fix will be either later today or tomorrow. It will be version 3.3.6. The client software with this fix will be released a little later this year.
Best Regards,
Darrik