Medium
resolved
resolved
Kiro IDE Stores Auth Tokens with World-Readable Permissions (0644)
Bug reported by Sergio Garcia was disclosed at July 9, 2026, 3:31 pm | Incorrect Default Permissions
The Kiro IDE (version 0.11.107) wrote authentication tokens (access token and refresh token) to a file with world-readable permissions (0644). The file contained sensitive information, including the access token, refresh token, and profile ARN. This exposed the credentials to potential unauthorized access by local processes or users.

