DEBUGBAR can be ABUSED to obtain USER Credentials!

[whipsterCZ]

WARNING: using debugbar at TEST or PRODUCTION environment will lead to SECURITY BREACH...

im using (i was using) DEBUGBAR at several pages.
But we were recently hacked - Debugbar has log of all requests INCLUDING LOGIN REQUESTS with PASSWORDS!!!!

Can you share this as ATTENTION
Or at least add some warning to README.MD , i have not clue that it can be ABUSED like this..

DETAILS:
attacker found debugbar enabled on our TEST environment, but we are using same credentials on PROD
so attacker had access to our ADMIN account .

(/_debugbar/open?method=POST&uri=*%2Flogin&max=20&offset=0)

I found this:

"password" => {plaintext-password!}
"email" =>  {adminEmail}

[parallels999]

Can you share this as ATTENTION

laravel-debugbar/config/debugbar.php

Lines 34 to 36 in 27b088a

	| Warning: Enabling storage.open will allow everyone to access previous
	| request, do not enable open storage in publicly available environments!
	| Specify a callback if you want to limit based on IP or authentication.

• Improve masking of request collector #1442
• Secure storage by default #1443

Debugbar has log of all requests INCLUDING LOGIN REQUESTS

Disable debugbar on login, just enable it when you need, i did add a debugbar enabler button(handled by session or cookies)

[barryvdh]

This should already be fixed in the latest version. Browsing is disabled by default.
Note that you should still not show it on public sites, which was already mentioned in the config.