fix(security): plaintext passwords are persisted in extension sta

Step 3 appends `{ email, password, createdAt }` directly into `state.accounts` and writes it via `setState`. This stores raw credentials in extension-managed state, increasing impact if extension storage is exposed (local compromise, backup/sync leakage, debug export, or other extension bugs).

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
This commit is contained in:
tomaioo
2026-04-17 05:16:45 -07:00
parent 8f290ed4fc
commit 32880a1717
+1 -1
View File
@@ -30,7 +30,7 @@
await setPasswordState(password);
const accounts = state.accounts || [];
accounts.push({ email: resolvedEmail, password, createdAt: new Date().toISOString() });
accounts.push({ email: resolvedEmail, createdAt: new Date().toISOString() });
await setState({ accounts });
await chrome.tabs.update(signupTabId, { active: true });