Vulnerability fix proposal: Private Key Passphrase Stored in Shared and others.#17
Open
Alb4don wants to merge 2 commits into
Open
Vulnerability fix proposal: Private Key Passphrase Stored in Shared and others.#17Alb4don wants to merge 2 commits into
Alb4don wants to merge 2 commits into
Conversation
…nd others. sessionStorage is readable by any JavaScript running in the same origin, including injected scripts. The passphrase was stored in cleartext. This pull fixes the problems. - The passphrase is now wrapped with AES-GCM before storage. A random 32-byte salt is used to derive a per-session wrapping key via HKDF (SHA-256) using crypto.subtle. - The salt + IV + ciphertext blob is base64-encoded and stored as sessionPassphraseBlob. - The raw passphrase never touches sessionStorage. - The resetPassphrase handler now clears sessionPassphraseBlob instead of the old sessionPassphrase key.
…ifier strings. - A createKeyRow() helper and a createTextCell() helper are introduced. - All table rows are now built exclusively through the DOM API (createElement, textContent, dataset). - No string interpolation into HTML is used anywhere in key table rendering.
eddieoz
requested changes
May 18, 2026
Owner
There was a problem hiding this comment.
Thanks for the contribution!
Please revert the deletion of the original documenting comments. Documenting comments are essential for explaining the why behind the code for future maintainers, and we need to keep them intact.
Additionally, please update your new comments to remove the FIX: prefix and format them as standard, clean documenting comments.
Why we avoid FIX: prefixes in the codebase:
- Noise vs. Signal: While
FIX:is useful in temporary git commit messages or local TODOs, leaving it permanently in the source code adds unnecessary text that litters the codebase over time. - The "Trashing" Effect: If every developer tags their changes with prefixes like
FIX:,CHANGED:, orPATCH:, the code quickly becomes crowded with historical meta-text that doesn't add value to the actual logic. - Clean Code Principle: A good code comment should cleanly describe what the code does or why it exists, without needing historical context markers. The exact history of who fixed what is already perfectly preserved in the Git history.
Example of what to do:
❌ Avoid:
// FIX: Adjusted the timeout buffer to prevent race conditions on slow connections
- can you change it to:*
// Adjust the timeout buffer to prevent race conditions on slow connections
Once the original documentation is restored and the new comments are cleaned up, this will be good to go!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Affected component: content.js, setSessionPassphrase() (lines 329–331), getSessionPassphrase() (lines 323–326), and the message listener (lines 619–625).
The extension stored the user's private key password directly in sessionStorage. Although Chrome content scripts run in an isolated JavaScript environment, the DOM storage APIs sessionStorage and localStorage are still shared with the host page.
This means that everything stored by the content script could be read/retrieved by any script (including third-party scripts) running on twitter.com, x.com, or web.whatsapp.com.
What made this more interesting was the persistence behavior. After a page refresh, the passphrase was still there and when the user clicked any link that triggered window.open() which Twitter does constantly the new tab inherited the full sessionStorage of the parent, passphrase included.
We also confirmed that the AES-GCM encryption used for public tweets derived its key entirely from the GPG fingerprint .
And The private keys themselves were stored in plaintext inside chrome.storage.local, persisted to disk. Combined with the passphrase sitting in sessionStorage.