PSA: setEncryptedText() Isn't Secure... At All

PSA

setEncryptedText() isn’t any more secure than storing plaintext passwords. It took minutes and 0 cybersecurity knowledge to search for Katalon projects hosted online and gather/decrypt several peoples’ personal credentials.

Feature Request

  1. Add a warning first and foremost to the Help > Encrypt Text popup as well as in the documentation clearly stating the dangers/limitations of Katalon’s encrypted text.
  2. Add an option to customize the salt+key used for encrypting text so that it’s actually secure.

I was wondering how setEncryptedText() using the same string could possibly work on my machine as well as my colleagues’ without me sharing some key with them. So I looked up the CryptoUtil class available on GitHub, and unsurprisingly:

public final class CryptoUtil {
    private static final String DF_ALGORITHM = "PBEwithSHA1AndDESede";
    private static final byte[] DF_SALT = { 75, 64, 116, 97, 108, 48, 110, 32, 83, 84, 117, 100, 108, 79 };
    private static final byte[] DF_SECRET_KEY = { 83, 51, 99, 82, 101, 84, 32, 75, 51, 105 };
    ...
}

The salt+key used to encrypt your text is not only built-in to Katalon, it’s available publicly. And don’t get me wrong, I’m thrilled that it’s open source—that’s not the issue. Removing the source code from public view wouldn’t fix anything. The issue is that the key is built-in to Katalon Studio with no option to change it. This means that there is 0 security benefit to encrypting your text; anyone who has access to your encrypted passwords—whether via a report, log, access to your project, or whatever—can easily use CryptoUtil.decode() to decrypt them.

I’m frankly appalled that there is NO warning about this. If you add a feature that looks secure, some people are going to trust it. The only thing more dangerous than an insecure feature is an insecure feature that misleads people into thinking its safe. At least if there was a warning, people could make a more informed decision about when to use it. As it stands, there are guaranteed to be people out there whose unfortunate decision to trust Katalon’s seemingly secure feature has compromised their personal passwords. I know there are; I searched for Katalon projects hosted online and decrypted several peoples’ personal credentials.

This is a huge issue. Don’t trust setEncryptedText(), and shame on Katalon Studios for this absurdly negligent lack of warning.

Hello,
until guys @Katalon will implement solution look here:


there is keyword i’m using for managing passwords
if they are used i can safely store them in git because master password is stored elsewhere.
if i’m using script from CI/CD pipeline i’m using pipeline to set correct user id and password and in that case keyword will throw exception and treat password as plain text…

Hi Andrej,

We provided the solution to encrypt and decrypt values to let the user decrypt their own value if needed. You can refer to this request Can Katalon provide a method to decrypt the encrypted string

Since the decrypt function in KS is masked for a team member to read the result. Other members can access the script and decrypt it. We highly recommend that user write their own encryption mechanism to suit their security policy.

Yeah, and that’s a great recommendation. It should probably be plastered in big red letters somewhere obvious. The important issue isn’t whether or not the text encryption feature should be updated to allow custom keys (although it has such a great effort:reward ratio it seems odd not to), it’s the fact that there is 0 warning that the encryption feature offers 0 actual security.

Which has, again, led to people publicly sharing their “encrypted” personal credentials online because they understandably thought that the encryption feature was secure. This is bad, and Katalon has a responsibility to its users to make sure that they understand a feature which looks very secure isn’t actually secure at all.

For sure! And that’s what you have to do if you have your passwords in the repo. The issue is that Katalon doesn’t make it obvious that this is necessary, which has led to some users publicly publishing their repos with sensitive data because they thought the encryption method was secure. And sure, you could argue that they should know better, but Katalon is specifically targeted at non-coders—people who aren’t necessarily as tech savvy.

And either way, if you create a function that looks like it’s super secure, you have a responsibility to make sure your users know when it’s not. If Katalon had done that, I wouldn’t have been able to farm peoples’ personal usernames and passwords from publicly published Katalon project repositories. This is a huge oversight on Katalon’s part, and it has directly led to people having their personal information compromised.