Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The code persists the Roon authorization token in a plaintext JSON file under the user's home directory without setting restrictive permissions or warning the user. If another local user, process, backup system, or malware can read that file, the token could be reused to control the user's Roon Core and access associated playback metadata.
