Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The README explicitly states that OAuth tokens are stored locally in a predictable path but does not warn that these are sensitive bearer and refresh tokens. If another local user, malware, backup system, or accidental file sharing exposes this file, an attacker could reuse the tokens to access the user's travel account and perform actions such as viewing or making bookings.
