MSAL Token Cache in localStorage Exposes OAuth Credentials to XSS Exploitation on Smart Device Platform

A security advisory has flagged a medium-severity vulnerability in the authentication layer of a connected device platform, where the Microsoft Authentication Library (MSAL) stores OAuth tokens in browser localStorage—a storage mechanism accessible to any JavaScript executing on the page. The flaw is embedded in the frontend authentication configuration at `src/chat-app/frontend/src/authConfig.js`, line 14, where the msalConfig export defaults to client-side token caching without additional encryption or isolation.

The exposure becomes critical when paired with a cross-site scripting (XSS) vector. If an attacker identifies an XSS vulnerability in the application itself—or in a third-party dependency such as Mermaid—they could inject malicious scripts capable of reading the localStorage token cache. With access tokens in hand, an adversary could make authenticated API calls to the backend, including sending device commands to connected hardware such as lamps and fans. More significantly, stolen refresh tokens could enable persistent access without requiring the user to re-authenticate, effectively granting long-term impersonation capabilities.

The vulnerability has been classified as Medium severity under OWASP Category A07:2021 (Identification and Authentication Failures). While the direct attack requires an existing XSS entry point, the architectural choice to store tokens in a globally accessible location compounds the risk, lowering the bar for successful exploitation once an XSS flaw is discovered. Organizations leveraging this platform face potential account takeover and unauthorized control of IoT endpoints pending remediation.