GitHub Access Token Stored Insecurely in localStorage #2
Description
Issue: Insecure Storage of GitHub Access Token in localStorage
Description:
While testing some app features, I discovered that the GitHub access token is being stored in localStorage. When I checked the app data directory (at ~/Library/Application Support/<YourAppName>/Local Storage/leveldb on macOS), the token was just sitting there in plain text. This means anyone gaining access to that file (e.g., through malware or even just a curious user) could potentially steal the token.
Why This is a Problem:
Storing sensitive information like this in localStorage is generally considered insecure. localStorage is easily accessible and provides no built-in protection against unauthorized access.
How Other Software Handles This:
Many desktop applications that need to store secrets (like API keys or access tokens) use more secure methods, such as:
- Operating System's Credential Manager (Keychain/Credential Vault): This is generally considered the most secure approach. The OS provides encrypted storage, and access is controlled by the user's account.
- Encrypted Storage (e.g., using Electron's
safeStorage): Encrypting the data before storing it on disk provides a significant layer of protection.
Code Location:
Here are the code snippets where the access token is being stored and retrieved from localStorage:
// Storing the token:
useEffect(() => {
// ...
localStorage.setItem(GITHUB_ACCESS_TOKEN_KEY, token); // Insecure storage!
// ...
}, [token]);
// Retrieving the token:
const initialToken = localStorage.getItem(GITHUB_ACCESS_TOKEN_KEY); // Retrieving the token insecurely