Security Flaw: Memoire App Stores JWT Tokens in localStorage, Enabling Silent Account Takeover via XSS

A critical security vulnerability in the Memoire application exposes user authentication tokens to theft, enabling complete account takeover. The flaw stems from storing sensitive JSON Web Tokens (JWT) in the browser's `localStorage`, a location accessible to any JavaScript code running on the page. This design choice creates a direct pathway for attackers to silently exfiltrate both access and refresh tokens if they can inject malicious scripts, effectively granting them indefinite impersonation of any user.

The vulnerability is concretely located in the frontend code (`frontend/index.html:3147`), where functions `getToken()` and `getRefreshToken()` retrieve credentials directly from `localStorage`. The attack chain is alarmingly straightforward: an attacker need only exploit a separate cross-site scripting (XSS) vulnerability—such as a known bypass in the `marked.js` note rendering library—to plant a malicious payload. When a victim views a compromised note, the payload executes, reads the tokens from storage, and sends them to an attacker-controlled server.

This flaw fundamentally undermines the application's security model. Possession of the JWT tokens grants an attacker full API access to all of the victim's data without needing a password. The risk is compounded by the use of refresh tokens, which could allow prolonged unauthorized access even if short-lived access tokens expire. The recommended mitigation is to move token storage to `HttpOnly` and `Secure` cookies, which are not accessible to client-side JavaScript, thereby severing this exfiltration vector.