Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[android]webview save password in plaintext #17439

Closed
anyger opened this issue Jan 4, 2018 · 1 comment
Closed

[android]webview save password in plaintext #17439

anyger opened this issue Jan 4, 2018 · 1 comment
Labels
Ran Commands One of our bots successfully processed a command. Stale There has been a lack of activity on this issue and it may be closed soon.

Comments

@anyger
Copy link

anyger commented Jan 4, 2018

Is this a bug report?

(Yes)

Have you read the Contributing Guidelines?

(Yes)

Environment

com.facebook.react:react-native:0.44.0

Steps to Reproduce

When the user chooses to save the user name and password entered in the WebView, they are explicitly stored in the databases/webview.db of the application data directory, because of ignoring the WebView setSavePassword. If the phone is root you can get the plaintext saved password, resulting in the user's personal sensitive data leakage.

Several methods may cause this loophole are found as follows:

Lcom/facebook/react/views/webview/ReactWebViewManager; receiveCommand (Landroid/webkit/WebView; I Lcom/facebook/react/bridge/ReadableArray;)V-->Landroid/webkit/WebView; loadUrl (Ljava/lang/String;)V

Lcom/facebook/react/views/webview/ReactWebViewManager; receiveCommand (Landroid/webkit/WebView; I Lcom/facebook/react/bridge/ReadableArray;)V-->Landroid/webkit/WebView; loadUrl (Ljava/lang/String;)V

Lcom/facebook/react/views/webview/ReactWebViewManager; setSource (Landroid/webkit/WebView; Lcom/facebook/react/bridge/ReadableMap;)V-->Landroid/webkit/WebView; loadUrl (Ljava/lang/String; Ljava/util/Map;)V

Lcom/facebook/react/views/webview/ReactWebViewManager; setSource (Landroid/webkit/WebView; Lcom/facebook/react/bridge/ReadableMap;)V-->Landroid/webkit/WebView; loadUrl (Ljava/lang/String;)V

By calling WebView.getSettings().setSavePassword(false) can prohibit users from saving passwords, which may avoid this loophole.

http://developer.android.com/reference/android/webkit/WebSettings.html#setSavePassword(boolean)

Expected Behavior

(Write what you thought would happen.)

Actual Behavior

(Write what happened. Add screenshots!)

Reproducible Demo

(Paste the link to an example project and exact instructions to reproduce the issue.)
@react-native-bot
Copy link
Collaborator

Thanks for posting this! It looks like you may not be using the latest version of React Native, v0.53.0, released on January 2018. Can you make sure this issue can still be reproduced in the latest version?

I am going to close this, but please feel free to open a new issue if you are able to confirm that this is still a problem in v0.53.0 or newer.

How to ContributeWhat to Expect from Maintainers

@react-native-bot react-native-bot added Ran Commands One of our bots successfully processed a command. Stale There has been a lack of activity on this issue and it may be closed soon. labels Feb 24, 2018
@facebook facebook locked and limited conversation to collaborators May 15, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Ran Commands One of our bots successfully processed a command. Stale There has been a lack of activity on this issue and it may be closed soon.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anyger @react-native-bot