You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Teacher passwords are stored and compared as plain text strings inside localStorage. This means anyone with browser DevTools access can instantly read every teacher's credentials.
Affected File
src/context/AuthContext.jsx
Steps to Reproduce
Register a new teacher account on the Login page.
Open browser DevTools → Application → Local Storage.
Find the key lecturePulse_teachers_db.
Observe that the password field is stored in plain text.
Code Reference
// AuthContext.jsx — Line 47teachers[teacherId]={ name, password };// ← plain text password saved!localStorage.setItem("lecturePulse_teachers_db",JSON.stringify(teachers));
// AuthContext.jsx — Line 27if(user&&user.password===password){ ... }// ← plain text comparison
Expected Behavior
Passwords should never be stored in plain text. They should be hashed before storage and compared using a hash-safe method.
Suggested Fix
Use the Web Crypto API to hash the password with SHA-256 before storing:
This is a security vulnerability. Even in a prototype/hackathon project, plain text passwords in localStorage expose all teacher accounts to anyone with physical or remote DevTools access.
Label:
securitybugPriority: 🔴 High
Description
Teacher passwords are stored and compared as plain text strings inside
localStorage. This means anyone with browser DevTools access can instantly read every teacher's credentials.Affected File
src/context/AuthContext.jsxSteps to Reproduce
lecturePulse_teachers_db.passwordfield is stored in plain text.Code Reference
Expected Behavior
Passwords should never be stored in plain text. They should be hashed before storage and compared using a hash-safe method.
Suggested Fix
Use the Web Crypto API to hash the password with SHA-256 before storing:
Then store and compare only the hashed value.
Caution
This is a security vulnerability. Even in a prototype/hackathon project, plain text passwords in localStorage expose all teacher accounts to anyone with physical or remote DevTools access.