Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-1601

Encode passwords with a more secure mechanism

    XMLWordPrintable

    Details

      Description

      Spark is using a hardcoded key (accessible with source code on GitHub in src/java/org/jivesoftware/spark/util/Encryptor.java) to encrypt passwords saved in spark.properties, thus making them easy to decrypt. Though an attacker has to gain access to the victim's system to gain access to this file first.

      Additional disclosure links:
      http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/
      https://www.pentestgeek.com/2012/12/26/recover-spark-im-stored-passwords-with-metasploit/

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            wroot wroot
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: