From 32880a17176c18c75804e02c2d9194d227b935f8 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Fri, 17 Apr 2026 05:16:45 -0700 Subject: [PATCH] fix(security): plaintext passwords are persisted in extension sta Step 3 appends `{ email, password, createdAt }` directly into `state.accounts` and writes it via `setState`. This stores raw credentials in extension-managed state, increasing impact if extension storage is exposed (local compromise, backup/sync leakage, debug export, or other extension bugs). Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- background/steps/fill-password.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/background/steps/fill-password.js b/background/steps/fill-password.js index 88f0a52..f8f3318 100644 --- a/background/steps/fill-password.js +++ b/background/steps/fill-password.js @@ -30,7 +30,7 @@ await setPasswordState(password); const accounts = state.accounts || []; - accounts.push({ email: resolvedEmail, password, createdAt: new Date().toISOString() }); + accounts.push({ email: resolvedEmail, createdAt: new Date().toISOString() }); await setState({ accounts }); await chrome.tabs.update(signupTabId, { active: true });