264
Signal downplays encryption key flaw, fixes it after X drama
(www.bleepingcomputer.com)
This is a most excellent place for technology news and articles.
I think the OS prevents apps from accessing data in those keychains, right? So there wouldn't be an automated/scriptable way to extract the key in as easy of a way.
But that's the thing: I haven't found anything that indicates it can differentiate a legitimate access from a dubious one; at least not without asking the user to authorize it by providing a password and causing the extra inconvenience.
If the wallet asked the program itself for a secret - to verify the program was legit and not a malicious script - the program would still have the same problem of storing and retrieving that secret securely; which defeats the use of a secret manager.
It's not about legitimate access versus illegitimate access. As I understand it, these keychains/wallets can control which specific app can access any given secret.
It's a method of sandboxing different apps from accessing the secrets of other apps.
In function, browser access to an item can be problematic because browsers share data with the sites that it visits, but that's different from a specific app, hardcoded to a specific service being given exclusive access to a key.
upon reading a bit how different wallets work, it seems macos is able to identify the program requesting the keychain access when it's signed with a certificate - idk if that's the case for signal desktop on mac, and I don't know what happens if the program is not signed.
As for gnome-keyring, they ackowledge that doing it on Linux distros this is a much larger endeavor due to the attack surface:
Also
In other words, the problem is beyond the scope of gnome-keyring. Maybe now with diffusion of Wayland and more sandboxing options reducing this context becomes viable.
You are absolutely correct. This can help in a world where every app is well sandboxed (thus can be reliably identified and isolated).