Title: OpenAI API Key Stored in Plaintext (Security Risk)
Description:
Long-time Plexamp fan here — nothing else like it. Loving the ChatGPT feature, but I spotted a potential security concern:
The OpenAI API key pasted into Plexamp’s Settings → OpenAI panel is saved in plaintext within LevelDB logs:
~/Library/Application Support/Plexamp/Local Storage/leveldb/
- The full key remains visible in the UI.
- It’s unmasked and unencrypted on disk.
- If your machine is shared, accessed remotely, or compromised, this exposes the key.
Screenshots:
- OpenAI settings panel with API Key visible.
- Two Plexamp app versions side-by-side (iOS-like vs native ARM).
(I can provide actual screenshots upon request.)
Steps to Reproduce:
- Open Plexamp on macOS.
- Navigate to Settings → OpenAI.
- Paste your API key.
- Close Plexamp.
- Inspect LevelDB files in the above path — the key appears in plaintext.
Expected Behavior:
- The key should be masked (e.g.,
••••••••) in UI. - On disk, it should be encrypted or securely protected (macOS Keychain, etc.).
Impact:
- Exposes users to key leakage if macOS account is accessed by others or compromised.
- Could lead to leaked keys, unintended costs, or unauthorized access.
Environment:
- macOS Monterey / Ventura on Mac mini (Apple Silicon).
- Plexamp v4.12.3 (React Native v0.72.15).
- Both ARM-native and iOS-styled builds.
Additional Info:
- Happy to submit logs or screenshots privately.
- Let me know if there’s a preferred secure channel for these types of reports.
