You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the user chooses to save the user name and password entered in the WebView, they are explicitly stored in the databases/webview.db of the application data directory, because of ignoring the WebView setSavePassword. If the phone is root you can get the plaintext saved password, resulting in the user's personal sensitive data leakage.
Several methods may cause this loophole are found as follows:
Thanks for posting this! It looks like you may not be using the latest version of React Native, v0.53.0, released on January 2018. Can you make sure this issue can still be reproduced in the latest version?
I am going to close this, but please feel free to open a new issue if you are able to confirm that this is still a problem in v0.53.0 or newer.
Is this a bug report?
(Yes)
Have you read the Contributing Guidelines?
(Yes)
Environment
com.facebook.react:react-native:0.44.0
Steps to Reproduce
When the user chooses to save the user name and password entered in the WebView, they are explicitly stored in the databases/webview.db of the application data directory, because of ignoring the WebView setSavePassword. If the phone is root you can get the plaintext saved password, resulting in the user's personal sensitive data leakage.
Several methods may cause this loophole are found as follows:
By calling WebView.getSettings().setSavePassword(false) can prohibit users from saving passwords, which may avoid this loophole.
http://developer.android.com/reference/android/webkit/WebSettings.html#setSavePassword(boolean)
Expected Behavior
(Write what you thought would happen.)
Actual Behavior
(Write what happened. Add screenshots!)
Reproducible Demo
(Paste the link to an example project and exact instructions to reproduce the issue.)
The text was updated successfully, but these errors were encountered: