[Security] Keystrokes stored in plaintext including passwords and sensitive input

[alamparelli]

Summary

During a security audit of the codebase, I identified that all keystrokes captured during recording are stored in plaintext in the project's mouse.json file, including characters typed into password fields and other sensitive inputs.

Details

• KeyboardEventHandler.swift (lines 107-111): Captures every keyDown/keyUp event via CGEventTap, including the actual Unicode character via event.keyboardGetUnicodeString.
• MouseEvent.swift (lines 119-146, 384-395): The raw character data is serialized into mouse.json within the .screenize project package.

This means passwords, credit card numbers, API keys, private messages — anything the user types during a screen recording — is persisted indefinitely in an unencrypted JSON file on disk.

Impact

• The .screenize project file is a standard directory bundle, trivially readable by any process or user with file system access.
• Users may not realize that their keystrokes (not just what's visible on screen) are being recorded and stored.
• Sharing a .screenize project file with someone would also share all typed characters, including sensitive ones.

Suggested Mitigation

1. Suppress character capture for secure text fields: Check if the focused element has the AXSecureTextField role (via Accessibility API) and redact characters when it does.
2. Store only keycode + modifiers by default, and only resolve to characters when the keystroke overlay feature is explicitly enabled.
3. Document the behavior so users are aware that keystrokes are captured during recording.

Environment

• Screenize (latest main branch)
• macOS 15.x
• Audit performed on commit as of 2026-02-06

[syi0808]

Thanks for reporting the issue!

I don’t intend to record passwords, but I agree there’s a clear security risk here.

I’ll work on improving it — thanks for pointing it out!