Skip to content

[Security] Chrome extension broadcasts auth token to all listeners via health message #673

New issue
New issue
Open
Open
[Security] Chrome extension broadcasts auth token to all listeners via health message#673
@mr-k-man

Description

@mr-k-man
mr-k-man
opened on Mar 30, 2026

Summary

extension/background.js:80 — The auth token is included in chrome.runtime.sendMessage({ type: 'health', data: { ...healthData, token: authToken } }) which broadcasts to ALL extension components. If the sidepanel has an XSS vulnerability, the token is immediately compromised and can be used to make authenticated requests to the browse server.

Impact

Medium — violates principle of least privilege. The token should only be delivered to the component that needs it, not broadcast to all listeners.

Fix

PR #664 removes the token from the health broadcast. The sidepanel now requests it via a targeted getToken message with sendResponse, which only delivers to the requesting component.

Found via sqry AST-based semantic code graph analysis.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions