You can follow the steps here to use a previous version of the desktop app to extract the keys: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93

The javascript didn’t seem to send the extracted data anywhere, but I did disconnect from the internet while running the script.

Remote wipes are possible. Log into your Apple/Google account, figure out how to find your device, then perform a remote wipe.

I’m going to have to stop replying because I don’t have the time to run every individual through infosec 101.

Sorry, but you’re missing the point here. You cannot do anything with a password without storing it in memory. That’s not even infosec 101, that’s computing 101. Every computation is toggling bits between 1 and 0 and guess where these bits are stored? That’s right: in memory.

The backend should never have access to a variable with a plaintext password.

You know how the backend gets that password? In a plaintext variable. Because the server needs to decrypt the TLS data before doing any computations on it (and yes I know about homomorphic encryption, but no that wouldn’t work here).

Yes, I agree it’s terrible form to send out plain text passwords. And it would make me question their security practices as well. I agree that lots of people overreacted to your mistake, but this thread has proven that you’re not yet as knowledgeable as you claim to be.