Don't Show Password in RDP Tab

james_wm · February 1, 2024, 6:44pm

If Royal TSX is opened using a rtsx:// url with an (URL-encoded) embedded rdp:// that includes a password (as most rdp:// urls would), that password can be easily seen just by clicking on the tab and copy+paste.

In fact, it’s easy enough to drive by someone else’s machine and just click on it to see their password.

While one option is “don’t use Royal TSX this way”, a better option would be to simply mask the password before putting the URL in the tab.

NOTE: I know some organizations would consider this a security issue, but I was recommended to publish this here. I hope that’s alright.

felix_deimel · February 2, 2024, 7:09am

Just to clarify: By “Tab” you actually mean it shows up in the ad hoc computer name field in the toolbar, right?

Thx,
Felix

james_wm · February 2, 2024, 8:11pm

So from here…

felix_deimel · February 5, 2024, 2:30pm

Hi James,

thx for the screenshot. I was worried that the whole connection string would show up in the tab title after your initial description. Thankfully it does only show up in the ad hoc computer name field which is by design at the moment.

For the next update, we’ll not put the connection string into that box however if you pass it via the “rtsx://” URL scheme. So that should fix your issue.

cheers,

Felix