Watch, Follow, &
Connect with Us

QualityCentral

Public Report
Report From: Delphi-BCB/VCL/Standard Controls/TEdit    [ Add a report in this area ]  
Report #:  87417   Status: Open
Security issue with TEdit used as password field
Project:  Delphi Build #:  14.0
Version:    14.0 Submitted By:   Markus Humm
Report Type:  Minor failure / Design problem Date Reported:  8/21/2010 6:13:08 AM
Severity:    Commonly encountered problem Last Updated: 3/20/2012 2:24:39 AM
Platform:    All versions Internal Tracking #:   280759
Resolution: None (Resolution Comments) Resolved in Build: : None
Duplicate of:  None
Voting and Rating
Overall Rating: No Ratings Yet
0.00 out of 5
Total Votes: 5
Description
If one uses TEdit as password entry field (using password chars) there's a little security issue:

TEdit by default has a popup menu with edit commands and a undo command.

It somebody enters a valid password, removes it from the edit and leaves the PC unattended somebody else can recover the password (even if he can't see it as it's protected by those password chars) and log in. I'd call this a security issue.

Would it be possible to deactivate the undo command in the popup menu if password chars are used?
Steps to Reproduce:
1. create a VCL forms app

2. place a TEdit on it and set a passwort char like *

3. run the app and enter something in the edit

4. select all you've entered into the edit and delete it

5. right click within the edit and in the context menu select "undo"

6. find out that everything you've deleted is here again
Workarounds
None
Attachment
None
Comments

Markus Humm at 10/7/2010 10:22:59 AM -
Using the win32 client I see I gave it 4 votes but total votes are -1?
I'm not yet aware that one can cast negative votes as well?

Server Response from: ETNACODE01

Copyright© 1994 - 2013 Embarcadero Technologies, Inc. All rights reserved.