Bug 432713

Summary: KWallet should limit access of applications for security reasons
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: Valentin Petzel <bug.kde>
Component: generalAssignee: Valentin Rusu <valir>
Status: REPORTED ---    
Severity: wishlist CC: jonathan, kdelibs-bugs, kneczaj, mk.mateng, nate, postix, uwu
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Valentin Petzel 2021-02-10 00:49:38 UTC 
A major problem of password managers like KWallet is that basically any application that has access to the Wallet will have full access to the Wallet. This is a HUGE security flaw, as this implies that ANY application that should use KWallet needs to be 100% trustworthy.
So I suggest that KWallet should not only allow to give applications access to the whole wallet, but to limit an applications access to certain parts of the wallet.

For example: One could have a default policy that an application is only allowed to access keys in the walled it created itself. If it wants to access other keys, it eighter has to explicitely get full permissions, or the user has to be prompted that this Applications wants access to a foreign key. Or something similar.

Regards,
Valentin
Comment 1 michaelk83 2022-09-06 12:30:33 UTC 
Related to Bug 451039 comment 2.

The fundamental problem here is that it's possible for a malicious application to impersonate a trusted one. The above link provides only a partial solution, there are still ways around it. This needs to be solved at the desktop/OS level first, before i can be fully tackled by password managers.
Comment 2 michaelk83 2022-09-06 17:31:06 UTC 
*** Bug 171616 has been marked as a duplicate of this bug. ***
Comment 3 michaelk83 2023-03-23 08:17:26 UTC 
*** Bug 467533 has been marked as a duplicate of this bug. ***
Comment 4 Jonathan Romano 2023-08-14 03:20:46 UTC 
Out of curiosity - how does this behave worse than the existing "access control" functionality that requires applications to be whitelisted before allowing access? It seems like any potential methods of sidestepping this would also apply there, right?

Barring being able to solve this directly, would it be an improvement to at least have an option to prompt before allowing access to a particular credential specifying which is trying to be accessed? Or would there still be a concern that it would lead to a false sense of security?