Skip to content

Security: Sensitive API tokens stored in chrome.storage.sync#341

Open
tuanaiseo wants to merge 1 commit into
zilliztech:masterfrom
tuanaiseo:contribai/fix/security/sensitive-api-tokens-stored-in-chrome-st
Open

Security: Sensitive API tokens stored in chrome.storage.sync#341
tuanaiseo wants to merge 1 commit into
zilliztech:masterfrom
tuanaiseo:contribai/fix/security/sensitive-api-tokens-stored-in-chrome-st

Conversation

@tuanaiseo

Copy link
Copy Markdown

Problem

The extension saves high-value secrets (GitHub token, OpenAI token, Milvus credentials) in chrome.storage.sync. Sync storage propagates data across signed-in browser profiles/devices and increases exposure if a synced account/session is compromised.

Severity: high
File: packages/chrome-extension/src/config/milvusConfig.ts

Solution

Do not store API secrets in chrome.storage.sync. Prefer chrome.storage.local with minimal retention, or use short-lived tokens/OAuth flows. Consider encrypting at rest with a user-provided passphrase and avoid auto-syncing secrets across devices.

Changes

  • packages/chrome-extension/src/config/milvusConfig.ts (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

…me.storage.syn

The extension saves high-value secrets (GitHub token, OpenAI token, Milvus credentials) in `chrome.storage.sync`. Sync storage propagates data across signed-in browser profiles/devices and increases exposure if a synced account/session is compromised.

Affected files: milvusConfig.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant