fix(security): plaintext passwords are persisted in extension sta
Step 3 appends `{ email, password, createdAt }` directly into `state.accounts` and writes it via `setState`. This stores raw credentials in extension-managed state, increasing impact if extension storage is exposed (local compromise, backup/sync leakage, debug export, or other extension bugs).
Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
This commit is contained in:
@@ -30,7 +30,7 @@
|
||||
await setPasswordState(password);
|
||||
|
||||
const accounts = state.accounts || [];
|
||||
accounts.push({ email: resolvedEmail, password, createdAt: new Date().toISOString() });
|
||||
accounts.push({ email: resolvedEmail, createdAt: new Date().toISOString() });
|
||||
await setState({ accounts });
|
||||
|
||||
await chrome.tabs.update(signupTabId, { active: true });
|
||||
|
||||
Reference in New Issue
Block a user