Data is visible in plain text in request while we used change events only

krushna.machhi · April 23, 2025, 9:11am

Hello

We have mobile number text filed where I enter mobile number

screen

While enter data in textField mobile number following event is triggered

@Subscribe(“mobileNumber”)
public void onMobileNumberTypedValueChange(final SupportsTypedValue.TypedValueChangeEvent<TypedTextField, String> event) {

}

once this event is call following request is generated and see the mobile number is visible in plain text

request

In this request I have modified this mobile number with other mobile number and send to sever

modified request

but I see in my browser screen my old entered mobile number is visible
generate otp

but once click on generate otp button. otp is triggered on my modified (Tampered mobile Parameter) mobile number.

krivopustov · April 23, 2025, 12:42pm

So what is your question?

krushna.machhi · April 23, 2025, 1:29pm

mobile number is visible in plain text in the request even the web application is https. attacker is change this entered mobile number and generate OTP to another mobile number.

In Jmix 2.1.3 we used change event component for eg. onMobileNumberTypedValueChange event where every change new request is trigger in that request data is visible in plain text. It is only happened on change event only. on button click generated request. The data is not visible in plain text. same on change event data is visible.

krivopustov · April 24, 2025, 6:33am

If you use HTTPS, the data is visible only to the user who sends the request. It cannot be intercepted during transmission over the network.

See also an explanation in this topic: Hiding Password of the user - #5 by mario