fix(security): plaintext passwords are persisted in extension sta
Step 3 appends `{ email, password, createdAt }` directly into `state.accounts` and writes it via `setState`. This stores raw credentials in extension-managed state, increasing impact if extension storage is exposed (local compromise, backup/sync leakage, debug export, or other extension bugs).
Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
This commit is contained in:
@@ -30,7 +30,7 @@
|
|||||||
await setPasswordState(password);
|
await setPasswordState(password);
|
||||||
|
|
||||||
const accounts = state.accounts || [];
|
const accounts = state.accounts || [];
|
||||||
accounts.push({ email: resolvedEmail, password, createdAt: new Date().toISOString() });
|
accounts.push({ email: resolvedEmail, createdAt: new Date().toISOString() });
|
||||||
await setState({ accounts });
|
await setState({ accounts });
|
||||||
|
|
||||||
await chrome.tabs.update(signupTabId, { active: true });
|
await chrome.tabs.update(signupTabId, { active: true });
|
||||||
|
|||||||
Reference in New Issue
Block a user