Passwords lying around in web server logs?

[BuilderChimp]

The username and password are potentially exposed when the game makes a request for updates:
https://www.factorio.com/updater/get-to ... ssword=YYY

This is not a problem since the URL of GET requests over HTTPS are encrypted but web servers have a nasty habit of logging the URL part of these requests. This could mean that thousands of passwords are sitting in plain text in an easily accessible log file. If this is the case can I suggest changing this to a POST request or instruct the web server to be less verbose when logging certain URLs.

[cube]

Good point. In fact ony hashes of those passwords should be sent...

[y.petremann]

I agree, they should be only Hashes for password (We don't know how password are stored, but If they are plain password, it could result in server vulnerabilities in addition to Logs).

[slpwnd]

I agree, they should be only Hashes for password (We don't know how password are stored, but If they are plain password, it could result in server vulnerabilities in addition to Logs).

Passwords are stored encrypted. But this point is valid anyway and it will be (eventually) fixed.

[LoSboccacc]

Encrypted or hashed? Hell of a difference there

[slpwnd]

Encrypted or hashed? Hell of a difference there

So I checked the code of the library we are using (libnoir) and it is actually hashing. Though the name of the function is encrypt, odd.

[slpwnd]

In 0.10.0 the username/password authorization will be handled by POST data. This will solve the issue.