File: crates/web/src/trust_store.rs:43-131, crates/web/src/profile/nickname_store.rs:24-80, crates/web/src/palette_recents.rs
Severity: security — integrity
Obvious? no
Peer-trust decisions and locally-chosen nicknames are persisted in localStorage plain JSON keyed only by a string. Any same-origin script (e.g. browser extension content script, XSS leak via the issues above) can read or rewrite the trust map and silently elevate or demote peers.
There is no signature, MAC, or version check tied to the user's Ed25519 identity. Given trust drives downstream sync decisions, mutation here has security impact beyond UI preferences.
Fix: sign or HMAC the trust map with a key derived from the user's identity; reject unsigned/tampered entries on load.
Filed by /general-audit @ b901575 (2026-05-02). master: #513.
File:
crates/web/src/trust_store.rs:43-131,crates/web/src/profile/nickname_store.rs:24-80,crates/web/src/palette_recents.rsSeverity: security — integrity
Obvious? no
Peer-trust decisions and locally-chosen nicknames are persisted in
localStorageplain JSON keyed only by a string. Any same-origin script (e.g. browser extension content script, XSS leak via the issues above) can read or rewrite the trust map and silently elevate or demote peers.There is no signature, MAC, or version check tied to the user's Ed25519 identity. Given trust drives downstream sync decisions, mutation here has security impact beyond UI preferences.
Fix: sign or HMAC the trust map with a key derived from the user's identity; reject unsigned/tampered entries on load.
Filed by
/general-audit@b901575(2026-05-02). master: #513.