Skip to content

Security: Zero Authentication on All API Endpoints, Passwords Stored as Base64, XSS-to-RCE via Electron #109

New issue
New issue
Open
Open
Security: Zero Authentication on All API Endpoints, Passwords Stored as Base64, XSS-to-RCE via Electron#109
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 4, 2026

Security Audit Report

14 findings (5 CRITICAL, 5 HIGH, 4 MEDIUM) identified during an authorized security audit.

Critical Findings

  1. Zero Authentication on ALL API Endpoints (CRITICAL) — Express server has no auth middleware. Every endpoint open to any network request. CORS Access-Control-Allow-Origin: *. In network POS mode, any device on the LAN has full access. (server.js:13-26)

  2. UI-Only Permission Enforcement (CRITICAL) — Permissions (perm_products, perm_users, etc.) only hide/show UI buttons in pos.js:194-198. Server never checks permissions on any endpoint.

  3. Passwords Stored as Base64 (CRITICAL)btoa() used instead of hashing (api/users.js:64,107,160). Trivially reversible. Frontend even decodes them: atob(allUsers[index].password) (pos.js:1280).

  4. GET /api/users/all Exposes All Passwords (CRITICAL) — Returns full user documents including Base64 passwords with no auth (api/users.js:86-90).

  5. Unrestricted User Creation/Privilege Escalation (CRITICAL)POST /api/users/post creates/modifies any user with any permissions, no auth required (api/users.js:104-149).

High Findings

  1. Default Admin Credentialsadmin/admin auto-created on first launch (api/users.js:152-173).
  2. Path Traversal in File Deletionfs.unlinkSync('./.../' + req.body.img) without sanitization in inventory (api/inventory.js:77-83) and settings (api/settings.js:58-64).
  3. Unrestricted Data Deletion — All DELETE endpoints unauthenticated across users, customers, categories, products, transactions.
  4. Insecure Electron ConfignodeIntegration: true, contextIsolation: false (start.js:24-27).
  5. Stored XSS → RCE — Product/customer/category names interpolated into HTML without escaping. Combined with nodeIntegration, achieves code execution (pos.js:221-268).

Medium Findings

11-14. Unauthenticated user logout, document replacement via raw req.body, NeDB operator injection.

Recommended Fix

Add Express authentication middleware to all API routes. Hash passwords with bcrypt. Validate/sanitize all inputs. Enable contextIsolation in Electron.

Identified via automated security research. Responsible disclosure — no exploit code included.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions