## Plain-Text PIN Storage Vulnerability Identified in IndexedDB — PinModal Component Under Scrutiny
A critical security flaw has been flagged in a web application's authentication layer. The PIN modal and storage service are storing user PINs in plain text within IndexedDB, exposing sensitive credential data to anyone with access to browser storage. The vulnerability spans two key files: `/src/components/PinModal.tsx` and `/src/services/storage.ts` (lines 32–46), where the AppSettings interface defines a plain `pin: string` field with no hashing or encryption applied. This means PINs are written directly into local browser storage without any transformation, making them readable by any script or actor that can access the IndexedDB database.

The issue was identified in the application's authentication flow, where users are prompted to enter a PIN for access. Rather than comparing a hashed input against a stored hash, the current implementation compares the entered PIN directly against the plain-text value saved in IndexedDB. This approach violates fundamental credential storage practices and creates a direct path for credential theft if an attacker gains access to the browser environment—whether through XSS, malware, or physical device access. The AppSettings interface at the flagged lines reveals the full scope of the oversight, with no cryptographic transformation layer present between user input and persistent storage.

Security researchers have recommended implementing password hashing before storage, with bcrypt cited as a robust option. The suggested approach also includes using the Web Crypto API for SHA-256 hashing of PINs prior to storage, then comparing hashed inputs against stored hashes during verification. Immediate remediation is advised to prevent exposure of user credentials. The vulnerability highlights a broader risk in client-side authentication design: storing secrets in plain text within browser-accessible storage remains a dangerous practice regardless of perceived access controls.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security-vulnerability, indexeddb, plaintext-credentials, pin-authentication, browser-storage
- **Credibility**: unverified
- **Published**: 2026-05-06 08:31:42
- **ID**: 79695
- **URL**: https://whisperx.ai/en/intel/79695