Newly Onboarded to the Forum - password autopopulated in Machines field

There’s something wrong with your new user on-boarding for the Forum.

I never added any text to the Machines section of my profile - I never actually set up my profile before I posted my first question. In response to my first post, @LightBurn included a snapshot of my profile and the “Machines” section contained my password.
I’ve changed the password since discovering this, but having never entered anything in the Machines field it’s curious that my password got there somehow even tho I had never visited any of the profile pages until this morning to get things updated. After setting up my profile and changing my password I checked the Machines field and it contains what I submitted as my actual machine info.

It looks like this occurs upon initial on-boarding when the user doesn’t deliberately set up their profile after signing up.

Steps to reproduce (likely):

  • Onboard a new user, set the password and do not set any profile attributes
  • Have the new user confirm/activate their login via email
  • Logout the new user after activation confirmation
  • Have an admin copy and/or view the new users (untouched) profile page
  • The user’s password appears in the Machines field

I hope this helps… Feel free to reach out if you have additional questions.

-DM

When creating a new account during sign up, the Machines field is required. If left blank, clicking Create New Account will present a reminder of the mandatory field:

Commonly when registering for a service requiring a password, two fields are provided: Password and Re-enter Password (to validate the data entry / mitigate typos especially in a masked field). Only one field (Password) is presented during sign up for the forum.

Perhaps there is a high potential for someone (being so used to the process of password + re-enter password) to instinctively model that behavior i.e., enter their desired password; tab; re-enter that password (unknowingly populating password information in the Machines field).

Thank you for bringing up this subject. We’ve already noticed a handful of users having the password in the machines field, but have been operating under the assumption that this was either user behavior or a password assistant like the one in Chrome acting incorrectly in this manner.

The forum platform we use is quite popular, and I’m sure if such a bug relating to passwords being displayed did exist, then it would have been promptly discovered and patched, all with lots of noise on the internet throughout.