Summary
The API key input in the Add New Access Method dialog is a type="password" field with autocomplete="on". Browser password managers may cache the value keyed to the current URL, and the key could autofill on unintended pages or be stored in browser sync.
Impact
- API keys cached by browser password managers could be exposed if:
- The browser account is compromised
- The autofill triggers on a phishing page at a similar URL
- The browser sync is enabled and sends keys to cloud storage
Fix Recommendation
Set autocomplete="off" (or autocomplete="new-password") on the API key input field in the Add Access Method dialog:
<input
type="password"
name="apiKey"
autoComplete="new-password"
...
/>
Environment
- URL:
https://dev.civicdataspace.in/dashboard/organization/civicdatalab/aimodels/edit/{id}/versions (Add Access Method dialog)
- Discovered: 2026-06-22 via QA audit
- Report ref: SEC-004
Summary
The API key input in the Add New Access Method dialog is a
type="password"field withautocomplete="on". Browser password managers may cache the value keyed to the current URL, and the key could autofill on unintended pages or be stored in browser sync.Impact
Fix Recommendation
Set
autocomplete="off"(orautocomplete="new-password") on the API key input field in the Add Access Method dialog:Environment
https://dev.civicdataspace.in/dashboard/organization/civicdatalab/aimodels/edit/{id}/versions(Add Access Method dialog)