This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WiFi Policy Password Exploit - Sophos Central Admin

Hello,

We have a Wifi Policy setup through Sophos Central Admin as below, and we have a number of Admins/Sudo Admins that have various configuration permissions. I myself, as you can see, do not have access to change any of this information or view it in great detail.

However, what is concerning is, if I press the back button as shown, in either Chrome or Edge, I am prompted to 'save password' which then provides me the Wifi Password in plain text. How is it that the browsers are able to pull this information?

This thread was automatically locked due to age.

0 emmosophos over 3 years ago

Hello Aaron,

Thank you for contacting the Sophos Community!

I am not very familiar with that screenshot you provided, is this being configured from Sophos Central Admin Wireless or Firewall?

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Dodd over 3 years ago in reply to emmosophos

Hi Emmanuel, so initially logging in through https://central.sophos.com/manage/dashboard

From there we navigate to Policies - iOS & iPADOS and we have some current policies configured, when we click into that policy, we then have a wifi policy configured

When I click into Wi-Fi, i'm then presented the first screenshot I provided. Let me know if you require more information
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Aaron Dodd

Hello Aaron,

Thank you for the screenshot! I am moving this to the correct Group (Mobile). I'll follow up with our team for feedback and will reach out to you via PM if more information is needed

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Shweta over 3 years ago

Hi Aaron Dodd

Are you logged in as Admin and cannot change the password for wifi, but when you click on back you are able to view the password?

Shweta

Community Support Engineer | Sophos Technical Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Dodd over 3 years ago in reply to Shweta

Essentially yes. I don't think I'm a full admin, I have a lot of permissions to view, but not to make changes. but yes, as you can see I have no options to view or change the Wi-Fi password and you can see in my original screenshot the SSID is EBF-Phones, however when I click the back button I'm presented with this box even though I never entered any information

Then if I press the eye-icon on the right it allows me to see the full password in plain text. I imagine this can't be by design?
Cancel
Vote Up 0 Vote Down

Cancel