🛡️ Sentinel: [MEDIUM] Fix sensitive credentials exposure#87
Conversation
Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request improves security by converting sensitive credential inputs, such as TMDB API keys and tracker passkeys, from text to password fields and adding autocomplete prevention. The reviewer suggests using autoComplete="new-password" instead of "off" to more effectively prevent browser autofill. Additionally, feedback was provided regarding the need to update focus logic in the setup wizard to ensure masked previews are cleared correctly when the user interacts with the field.
| ## 2026-05-23 - Insecure Exposure of Sensitive Credentials in Text Inputs | ||
| **Vulnerability:** Sensitive credentials such as TMDB API keys and Tracker Passkeys were entered using standard `<input type="text">` fields without `autoComplete="off"`. | ||
| **Learning:** Text inputs expose sensitive credentials visually to shoulder-surfing attacks and allow browsers to automatically save and potentially leak these values via autofill. | ||
| **Prevention:** Always use `<input type="password">` with `autoComplete="off"` when requesting or displaying sensitive credentials like API keys, passkeys, and passwords to ensure visual masking and prevent browser caching. |
There was a problem hiding this comment.
The term "browser caching" is technically inaccurate in this context. Browsers store input values for autofill and password management in the user's profile, which is distinct from HTTP caching. Additionally, autoComplete="off" is frequently ignored by modern browsers for password fields. It's more accurate to describe this as preventing autofill/saving and to recommend new-password as a more effective attribute for fields that are not the primary login password.
| **Prevention:** Always use `<input type="password">` with `autoComplete="off"` when requesting or displaying sensitive credentials like API keys, passkeys, and passwords to ensure visual masking and prevent browser caching. | |
| **Prevention:** Always use `<input type="password">` with `autoComplete="new-password"` (or `"off"`) when requesting or displaying sensitive credentials like API keys, passkeys, and passwords to ensure visual masking and prevent browsers from incorrectly autofilling or offering to save these values. |
| <input | ||
| type="text" | ||
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Modern browsers often ignore autoComplete="off" for password fields to prioritize their own password managers. Using autoComplete="new-password" is generally more effective at preventing browsers from attempting to autofill the site's login credentials into this API key field.
| autoComplete="off" | |
| autoComplete="new-password" |
| <input | ||
| type="text" | ||
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
To better prevent browsers from incorrectly autofilling saved passwords into this passkey field, consider using autoComplete="new-password", as "off" is frequently bypassed by modern password managers.
| autoComplete="off" | |
| autoComplete="new-password" |
| <input | ||
| type="text" | ||
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
In setup wizards, browsers are particularly aggressive with autofill. Using autoComplete="new-password" provides a stronger hint than "off" to prevent the browser from filling this field with unrelated saved credentials.
Additionally, note that unlike TmdbConfig.tsx, the onFocus handler for this input (line 309) does not clear the masked preview (e.g., ****). Now that the field is a password type, users might find it difficult to see that they are appending to the mask characters. Consider updating the onFocus logic to clear the state if it contains a mask.
| autoComplete="off" | |
| autoComplete="new-password" |
1 participant
🚨 Severity: MEDIUM
💡 Vulnerability: Sensitive credentials such as TMDB API keys and Tracker Passkeys were entered using standard
<input type="text">fields withoutautoComplete="off". This exposes the credentials visually (shoulder-surfing) and allows browsers to save them in autofill.🎯 Impact: Unauthorized access if someone sees the screen, or if a shared browser autofills the saved credentials on a malicious or unrelated site.
🔧 Fix: Changed the
<input>types topasswordand addedautoComplete="off"inTmdbConfig.tsx,TmdbStep.tsx, andUploadTrackerPanel.tsx.✅ Verification: Verified by checking the UI components locally. The input fields now mask the characters and should prevent browser autofill prompts.
PR created automatically by Jules for task 7158906962711507577 started by @bobdivx