🛡️ Sentinel: [MEDIUM] Protect sensitive API keys from physical exposure (Shoulder-surfing)#100
🛡️ Sentinel: [MEDIUM] Protect sensitive API keys from physical exposure (Shoulder-surfing)#100bobdivx wants to merge 1 commit into
Conversation
…re (Shoulder-surfing) Changes input types for TMDB API Keys and Tracker Passkeys from `text` to `password` and adds `autoComplete="off"`. This prevents physical exposure (shoulder-surfing, screen sharing) and browser autofill history leakage. Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request improves physical security for sensitive credentials (TMDB API keys and tracker passkeys) by changing input fields from type "text" to "password" and adding autoComplete="off" across several configuration panels, as well as documenting this practice in .jules/sentinel.md. The reviewer suggests using autoComplete="new-password" instead of autoComplete="off" because modern browsers often ignore off for password inputs, which can cause unexpected autofill behavior. Additionally, the reviewer recommends updating the sentinel documentation to reflect this practice.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers (such as Chrome and Safari), which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers, which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers, which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers, which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers, which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="off" on a type="password" input is often ignored by modern browsers, which may still attempt to autofill the user's saved login credentials into this field. To reliably prevent browser autofill on configuration fields, use autoComplete="new-password" instead.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" |
| ## 2025-02-27 - Physical Exposure of API Keys | ||
| **Vulnerability:** Highly sensitive credentials like TMDB API keys and Tracker Passkeys/API keys were being rendered in `<input type="text">` fields across multiple configuration components (`TmdbConfig`, `UploadAssistantPanel`, `UploadTrackersManagerPanel`, `TmdbStep`), making them vulnerable to physical exposure (shoulder-surfing) or accidental leakage during screen sharing. | ||
| **Learning:** Form inputs handling sensitive external tokens or API keys must be treated with the same physical security precautions as user passwords, especially in configuration dashboards. | ||
| **Prevention:** Always use `<input type="password">` combined with `autoComplete="off"` when requesting or displaying sensitive tokens, keys, or passkeys to prevent both physical exposure and browser autofill history leakage. |
There was a problem hiding this comment.
Update the prevention documentation to recommend using autoComplete="new-password" instead of autoComplete="off" to align with the security best practices for preventing browser autofill on configuration forms.
1 participant
🚨 Severity: MEDIUM
💡 Vulnerability: Sensitive API keys (TMDB, Tracker Passkeys/API Keys) were rendered in plaintext
type="text"fields, making them vulnerable to "shoulder-surfing", accidental exposure during screen sharing, and browser autocomplete history caching.🎯 Impact: Potential unauthorized access to users' linked tracker accounts or their TMDB API limits.
🔧 Fix: Changed the
<input>types topasswordto visually obscure the keys and addedautoComplete="off"to explicitly tell browsers not to save these sensitive credentials in form history.✅ Verification: Verified by checking the forms manually and running
pnpm testandpnpm buildto ensure no regressions were introduced in the input handling.PR created automatically by Jules for task 10199344544145027728 started by @bobdivx