cancel
Showing results for 
Search instead for 
Did you mean: 

fiori security concern

Former Member
0 Kudos

Hi All

We are now receiving security concerns from customer about FIORI.

1.Information Leakage:

     for instance , when we clicked an item , then it failed, and we got the error message which might cause information leakage.

     Is it possible that the backend could provide some general information with no sensitive information involved.

   

2.remember password option:

     after entering the password and username, the browser will prompt if you want to remember the password. there is security concern to remember password in browser. Is it possible to disable this pop-up window,  that is , is it possible to Set auto complete off in every form that is getting submitted.

Thanks

Message was edited by: Michael Appleby

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Torren,

i don't want to be a smartass, but do you really think it's a good idea to post an image, where you can see a productive URL of a customer? When we talk about security, we should start to hide or obfuscate such information, which are absolutely not necessary to investigate an issue. I think the customer itself doesn't want to see this information in a forum, which is available for everyone in the internet. Besides: Never post a real User of a productive System in a forum!!! I couldn't believe, that your Test-User "TEST*****" is actual a real one. A hacker has now perfect premises to start an attack on this system!

Because i myself am a customer of SAP, i have the expectations, that SAP always works confidential with my data.

Sry, if i can't answer your questions, but this topic is very important for me!

Regards

Michael

hofmann
Active Contributor
0 Kudos

People are posting links to systems they are working with for years. Sometimes the name of the link is only server, but the link behind it still points to the real system. Sometimes the problem is that not everyone understands that SCN is a public web site, accessible to all.

A small reminder to the moderator that a link was posted should help in having the post reviewed, edited, blocked or removed,

Former Member
0 Kudos

Hi Tobias,

the advice with the reminder is really good. I'm going to remember this!!!

hofmann
Active Contributor
0 Kudos

I alerted the moderator but it looks like the information exposed is not considered worth editing, so we can still see the links

masa_139
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Torren,

Is this the first time that customer is going to use web browser? How do they access to their company home page or any other application? Those items are not specific for Fiori and happen to any other applications. What was comment from their IT team? Please share background.

Regards, Masa

SAP Customer Experience Group - CEG

hofmann
Active Contributor
0 Kudos

I can give you many examples where employees do not have access to a browser, or intranet, or internet, or phone.

 How do they access to their company home page or any other application?

Well, what about SAPGui?

About the logon remember questions: I'd opt to go for SSO.