PSA
setEncryptedText()
isn’t any more secure than storing plaintext passwords. It took minutes and 0 cybersecurity knowledge to search for Katalon projects hosted online and gather/decrypt several peoples’ personal credentials.
Feature Request
- Add a warning first and foremost to the
Help > Encrypt Text
popup as well as in the documentation clearly stating the dangers/limitations of Katalon’s encrypted text. - Add an option to customize the salt+key used for encrypting text so that it’s actually secure.
I was wondering how setEncryptedText()
using the same string could possibly work on my machine as well as my colleagues’ without me sharing some key with them. So I looked up the CryptoUtil
class available on GitHub, and unsurprisingly:
public final class CryptoUtil {
private static final String DF_ALGORITHM = "PBEwithSHA1AndDESede";
private static final byte[] DF_SALT = { 75, 64, 116, 97, 108, 48, 110, 32, 83, 84, 117, 100, 108, 79 };
private static final byte[] DF_SECRET_KEY = { 83, 51, 99, 82, 101, 84, 32, 75, 51, 105 };
...
}
The salt+key used to encrypt your text is not only built-in to Katalon, it’s available publicly. And don’t get me wrong, I’m thrilled that it’s open source—that’s not the issue. Removing the source code from public view wouldn’t fix anything. The issue is that the key is built-in to Katalon Studio with no option to change it. This means that there is 0 security benefit to encrypting your text; anyone who has access to your encrypted passwords—whether via a report, log, access to your project, or whatever—can easily use CryptoUtil.decode()
to decrypt them.
I’m frankly appalled that there is NO warning about this. If you add a feature that looks secure, some people are going to trust it. The only thing more dangerous than an insecure feature is an insecure feature that misleads people into thinking its safe. At least if there was a warning, people could make a more informed decision about when to use it. As it stands, there are guaranteed to be people out there whose unfortunate decision to trust Katalon’s seemingly secure feature has compromised their personal passwords. I know there are; I searched for Katalon projects hosted online and decrypted several peoples’ personal credentials.
This is a huge issue. Don’t trust setEncryptedText()
, and shame on Katalon Studios for this absurdly negligent lack of warning.