This is a migrated thread and some comments may be shown as answers.

Does Fiddler view/store/display credentials?

1 Answer 316 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
Robert
Top achievements
Rank 1
Robert asked on 15 May 2020, 07:20 PM
We are troubleshooting an issue using Fiddler and wanted to know if Fiddler grabs credentials as part of it's network traffic capture that could be used by others.  Obviously, if it's an unencrypted password being sent then that would work, but with encryption and session management, is it possible for someone to utilize credentials seen in the traffic capture to compromise security?

1 Answer, 1 is accepted

Sort by
0
Nick Iliev
Telerik team
answered on 18 May 2020, 12:46 PM

Hi Robert,

 

As far as I understood your question is are encrypted password "visible" in traffic decrypted by Fiddler (and possibly shared with 3rd party). If this is the question then the answer is yes as Fiddler is the "man-in-the-middle" via the trusted certificate. However, for any external party, the whole traffic will be encrypted from end to end. Use Fiddler only with trusted parties and keep in mind that HTTPS decrypted traffic by Fiddler is readable in a way that is not possible for external users (which are not signed with trust certificates and are not acting as a "man-in-the-middle" proxy). See this thread for more details about a similar question related to using Fiddler as a man in the middle.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Tags
Fiddler Classic
Asked by
Robert
Top achievements
Rank 1
Answers by
Nick Iliev
Telerik team
Share this question
or