https://bugs.kde.org/show_bug.cgi?id=504193
--- Comment #26 from michaelk83 <mk.mat...@gmail.com> --- (In reply to Arek Guzinski from comment #24) > 1. What is keeping me from making some malware that identifies itself as > "KDE System" to get access to all passwords? > 2. What if an app should have access to certain passwords, but misuses that > privilege to access other passwords? These are known limitations in all Linux password managers, and it's probably not any better in other OSes. There are too many ways for apps to impersonate another app. Short of placing each app in its own user or sandbox, there isn't much that a password manager can do against that. Malwares have other attack vectors as well. There was *some* talk in KeePassXC to identify client apps more robustly, but even the solution that was discussed there isn't bulletproof. This is why you need to protect your user account first of all. If you get a malware on your user account, all bets are off. But this is getting off topic. (In reply to Rainer from comment #25) > I mean the client requesting access on the user behalf should show the popup > that it was not able to complete my request. That would depend on each client app. We can at most do that in KWalletManager. But most users rarely need to touch KWalletManager itself, and most access requests are not from there. -- You are receiving this mail because: You are watching all bug changes.
