• ☆ Yσɠƚԋσʂ ☆OP
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    But the malicious npm package can just read whatever key the app reads then decrypt the values. They are running with the same permission.

    No, it cannot because apps cannot just reach into memory of other apps and keychain access has permissions per application.

    • kevincox
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      How does the keychain know what “application” is calling it?

      • ☆ Yσɠƚԋσʂ ☆OP
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        2 years ago

        If set up properly then each application has its own private store that it registers with the keychain. This isn’t exactly rocket science.

        • kevincox
          link
          fedilink
          arrow-up
          1
          arrow-down
          2
          ·
          2 years ago

          Do you have links to “set up properly”. The problem is that for most systems other than maybe some of the “app store” type setups the OS has not concept of “application”. The credentials are just the user and that is the same for all unsandboxed apps.

          • ☆ Yσɠƚԋσʂ ☆OP
            link
            fedilink
            arrow-up
            2
            ·
            2 years ago

            Here’s an example of controlling access on per application basis with macOS keychain. The basic concept here is that the OS controls access to sensitive data, and applications can have individual stores associated with them. This allows control over what application can access a particular piece of data in the store.

            • kevincox
              link
              fedilink
              arrow-up
              1
              ·
              2 years ago

              That just seems to be about granting an app access to all keys, which is not quite the same as per-app keys.

              I know that macOS has this for sandboxed apps from the app store, maybe they have it for “sideloaded” apps as well but at least most OSes don’t have that. At least for Windows and Linux there isn’t a good way to identify an “app” to separate it from any other. My macOS knowledge is rusty but IIRC you install apps in a system-owned directory and apps only have permission to update themselves so maybe you could use the application path as a key, but the other listed affected OSes don’t have that.