HTTP 500 password plain text

Hi everyone,
It is my first post here and I believe that it should be useful from the beginning.
I found that when my RPi 3 is off and not connected to power when try to open mobile OpenHAB2 I receive HTTP 500 response with username and password in plain text. That’s big security issue.

Have a nice day.
BR,

Are you using a reverse proxy for authentication or myopenhab.org?

I am using myopenhab on 443 and it was working perfectly before. I wasn’t trying to resolve this issue before know what happened.

I don’t think that I understand…
what is the security issue since you are getting a secured (https) response from myopenhab.org? (that’s not plain text)
which host is generating the http 500 ?

I have got REST API URL: myopenhab.org/rest/bindings response where I have Username, password and exception stack: java.io.Exception: openHAB is offline

I can attach print screen

a print screen will help (mask the password)

by the way: if the protocol is https, then there shouldn’t be a big issue.
Of course, this should be fixed imo

Sorry I didn’t add the print screen right away, I had to mask password and clear metadata

I am just wondering if Exception stack should be visible to user and even his password, what if phone will be stolen or password picked by “friend”.

that what if covers many scenarios… including more dangerous ones :slight_smile:

anyway, you are right… they should fix this… can you open up an issue on github for this?

Yes, you are right that there are more dangerous scenarios when phone would be stolen.
I will open github issue.

Done:

…and it seems that you should close it now :slight_smile:

yes, looks like workaround

I had the same issue today, where all my guest could see my password in plain text. I hope this issue can be fixed without disabling debug messages…

there is no issue
do not enable debug… (it’s disabled by default…)
i want to have the password visible in debug mode

And I want it the other way around :slight_smile:

then, go ahead and convince the developers :stuck_out_tongue:

Its not a big issue for me,
However when I rent out the space in the summer and something crashes, it is for me great help to know what happen (they tell me what is displayed on one of the tablet in the flat) so that I can potentially fix the rules/items to avoid it in the future. For obvious reason I do not want the password to be shown. This could easily be achieved by a separate settings in the app, where you check “Display password in plain text in debug mode” to be able to check this off you need to confirm with your password or sth of course.

You should lower your commercial charges then
You are using an open source app for HA hobbyists to make money after all :stuck_out_tongue:

I wouldn’t really say I am making money, it rather barely pays for OH gadgets… Just a few days now and then on airbnb when I am out sailing:)

So: You want the people who rent occasionally your apartment to be able to call you while you sail with the debug message so you can fix some rules remotely (from the boat?) but you don’t want the password to be shown in the debug screen of the mobile app…

Good luck convincing anyone with this argument :stuck_out_tongue:

(why do I even bother???)