Clear text password and username

[fu2x2000]

Operating System Info

Other

Other OS

No response

OBS Studio Version

29.1.1

OBS Studio Version (Other)

No response

OBS Studio Log URL

obs-studio/UI/data/locale/ca-ES.ini

Line 323 in adb7029

ConfirmRemove.Title="Confirmeu la supressió"

OBS Studio Crash Log URL

No response

Expected Behavior

in the directory OBS-studio/Ui/data/locale/ca-ini

ini file save's password in clear text which could lead to compromise. santizing password and username using via keystore would applicable

ex:

obs-studio/UI/data/locale/ca-ES.ini

Line 323 in adb7029

ConfirmRemove.Title="Confirmeu la supressió"

check above mention example line 726 and 727

Current Behavior

research based manage to discover the issue

Steps to Reproduce

1.Go to directory file OBS-studio/Ui/data/locale/ca-ini
2.open ini file in notepad
3.Search for password.
...

Anything else we should know?

N/A

[fu2x2000]

How this closed as completed , ??

[WizardCM]

@fu2x2000 Because the .ini files in the locale directory are translation strings, not data/passwords.

[fu2x2000]

thanks for the clarification

[spiceywasabi]

Just so you know, a CVE was assigned even though it probably should be disputed in this particular case. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34585

A project maintainer may dispute a CVE through this process: https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf

[fu2x2000]

sure no worries , thanks for the heads up , though i would like few point of improvements in future.

1. if you comment such sensitive threads key -value pairs on ini file as sample data would help make independent security researchers turn other way around look for actual vulnerabilities(if its not one).
2. I would like when closing issues on security matter on git to be add comment or explanation would greatly help.

many thanks

fu2x2000

[Fenrirthviti]

I originally ignored this issue because of how ridiculous it was, but to explain with further clarity:

This is reporting the translation string of the word "Password". This is immediately obvious to anyone who spent more than half a second looking at the search results in the repository for the word "Password", which appears to be what was done here, without any actual validation of a problem or issue.

I will respond to your direct comments here since you are the reporter @fu2x2000

1. There is nothing sensitive about storing the string "Password" which is used for translations and localization of this field in the UI. This is obvious, and even in your report if you look at the file path obs-studio/UI/data/locale/ca-ES.ini which clearly shows it's a locale file. Any other additional verification or checking of the file itself would show the thousands of other obvious translation strings, or even just where the string itself is being used in the UI.
2. Matt provided an explanation when the issue was closed, but we were so embarrassed for you by this awful report we tried to just let it go.

You have failed the most basic validation of this report while submitting, and have now wasted both your time, and the time of several project members as we now have to dispute this to get a false security risk removed. At best, this was a grossly negligent report, and at worst, intentionally false to try and boost reputation by making CVE reports.

Please do better in the future.

[fu2x2000]

Hi to you to explain i have made this finding through ascript i created , where to identify sensitive key pairs. i have not necessary done projects with OBS nether did the research with the product , hence the reason creating a issue than in to bug bounty program.
Regarding applying cve is due to you or any one else in the project not commented on closing ticket without explanation . have not taken any action till today since the day i report this issue.

Now to reason explain my previous comment ini file can have various configuration values that could be possibly a password. from my prospective i report what have seen as a threat .i report a issue first not a cve if any one close the ticket with proper explanation i would not apply for a cve after 3 weeks after creating the issue. see whose fault is that now .

i guess all should do better in future.

[spiceywasabi]

An ini file can contain any sort of key-value pairs, if in this particular case you used locale ES and changed the string, the text in OBS would change as well, the password that a user actually entered would not be there. You may want to rework your script because its pulling in a lot of false positives very likely.

[fu2x2000]

thanks for the advice , its not specifically made for OBS software, then again you are correct there is a room for improvement. i will request cve to be update as withdraw .

[Fenrirthviti]

Just for the record, we explained that this was a translation string, in the comment here: #8966 (comment)

You failed to read that comment, on your own report. That is not our failure, that is yours. Any security researcher who submits reports without validating them should probably consider a new career path, as that kind of gross negligence isn't acceptable anywhere in the field.

[Sarius997]

Also in the future, you should probably not just rely on a script, but rather invest a few minutes to read and check the supposed issue... even taking a proper look at the file you reported, would have made it obvious that this is a simple translation file and does not leak default passwords or anything

[TheKyleChau]

thanks for the advice , its not specifically made for OBS software, then again you are correct there is a room for improvement. i will request cve to be update as withdraw .

You shouldn't even be making CVEs without even verifying that it's an actual vulnerability. This is so grossly negligent of pen-testing duties. It wastes time for people who could be improving their product instead of disputing false claims like this one.