Rocket.Chat include the LDAP password in clear text in the statistics.

[sennewood]

Description:

In the log in the Admin UI we saw, that Rocket.Chat saves our LDAP password in clear text within the statistics. I'm unsure if the Rocket.Chat company has access to this statistics and now knows our LDAP connection data.

Steps to reproduce:

1. Go into the Admin UI.
2. Open the log.
3. Search for the statistics object.

Expected behavior:

No LDAP password inside the statistics.

Actual behavior:

LDAP password inside the statistics.

Server Setup Information:

• Version of Rocket.Chat Server: 3.14.6
• Operating System: Ubuntu 18.04
• Deployment Method: docker
• Number of Running Instances: 2
• DB Replicaset Oplog: yes
• NodeJS Version: v12.22.1
• MongoDB Version: 4.0.25

Client Setup Information

• Desktop App or Browser Version: Firefox 89.0.2
• Operating System: Win 10

Additional context

none

Relevant logs:

I won't post my logfile, because there is our LDAP password readable ;)

[johncrisp]

Hi and thanks for reporting this.

First, thanks for filling out the template details but you should also test this on the latest code - there are lots of changes in each version and this may have been modified already. We are currently on 3.16.x - you check the release page for changes.

I'm unsure if the Rocket.Chat company has access to this statistics and now knows our LDAP connection data.

If you allow sending of stats it has we have some limited data, but we would never look at or keep users and passwords. It would be a huge betrayal of trust!

Rocket.Chat saves our LDAP password in clear text

I don't believe that is the case. You see it in the logs. I think if you check the MongoDB you will see it is encrypted there. Remember, the browser sends it as plain text - check your password store to see ;-)

There may be a case for changing it to ***** in the logs I guess. but that is a different issue.

Check this for a long forgotten conversation on LDAP and fallback, and password storage.

#6144