Server sends passwords in cleartext to a log server.

Description

Web-Server maintains a log for various purposes like periodic audit, problem resolution, etc.

These logs should be stored securely and should not be accessible by the public. But due to some server misconfigurations, Sometimes logs are publically accessible.

If logs are publicly accessible and containing plaintext passwords, then that is a significant threat. All user's credentials and associated accounts will get compromised.

Also, many users use the same passwords to multiple sites, So attackers may able to compromise user's other accounts like Gmail, Facebook.

Impact

  • User credentials may get compromised.
  • If the user has the same password to other accounts, all those accounts will be at risk.

Prevention

  • Never store passwords in log files.