Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure storage for "secrets"? (LCP SHA256 passphrases, OAuth access tokens) #900

Closed
danielweck opened this issue Dec 19, 2019 · 5 comments · Fixed by #1445
Closed

Secure storage for "secrets"? (LCP SHA256 passphrases, OAuth access tokens) #900

danielweck opened this issue Dec 19, 2019 · 5 comments · Fixed by #1445
Assignees
@danielweck
Labels
LCP

Comments

@danielweck
Copy link
Member

danielweck commented Dec 19, 2019
edited
Loading

Currently, Thorium stores this information in the database.

Possible technical solution?

https://github.com/atom/node-keytar

A native Node module to get, add, replace, and delete passwords in system's keychain. On macOS the passwords are managed by the Keychain, on Linux they are managed by the Secret Service API/libsecret, and on Windows they are managed by Credential Vault.

=> note that just as with LevelDown, KeyTar would need to be recompiled against the current Electron / NodeJS version used by Thorium (npm postinstall)
@danielweck danielweck self-assigned this Dec 19, 2019
@danielweck
Copy link
Member Author

danielweck commented Dec 19, 2019
edited
Loading

Important: on MacOS KeyChain, user-level access control is actually based on any NodeJS executable (i.e. not bound / tied specifically to Thorium), so the protection is actually relatively easy to circumvent once an attacker gains access to a user computer, to steal passphrases and access tokens (it would be harder than simply copy/pasting the DB contents from AppData/Roaming/EDRLab.ThoriumReader (Windows) or Library/Application Support/EDRLab.ThoriumReader (MacOS), but still trivial nonetheless for a prepared attacker, i.e. somebody with a NodeJS script who can invoke KeyTar on a victim's computer):

semantic-release/cli#256
semantic-release/cli#257

atom/node-keytar#88
atom/node-keytar#50
atom/node-keytar#214

@danielweck
Copy link
Member Author

As mentioned above, KeyTar offers a little bit more obfuscation but the protection can be broken, and the cost of compiling the native lib + potential bugs (as experienced with LevelDown for example) are a bit off-putting.
Perhaps we should just ask users to enter a master password everytime they launch Thorium in order to unlock authenticated features (much like the "password managers" of Firefox etc.). We could simply use AES-256-CBC encryption to securely store sensitive data in the DB (LevelDown or JsonDown).

@danielweck danielweck added the LCP label Jan 29, 2021
@danielweck
Copy link
Member Author

danielweck commented Feb 26, 2021
edited
Loading

For info: https://cameronnokes.com/blog/how-to-securely-store-sensitive-information-in-electron-with-node-keytar/

"any node.js process later on can access it without prompting the user. (When you package your Electron app, this value will be your app’s name and only your app will have access without prompting)."

@danielweck danielweck mentioned this issue Apr 27, 2021
Merged
danielweck added a commit that referenced this issue Apr 27, 2021
@danielweck
refactor(LCP): encrypted JSON persistence (PR #1445 Fixes #900 Fixes #…
3e6f378 
…888)
@danielweck
Copy link
Member Author

Fixed via #1445 #1419 and #1418

@danielweck
Copy link
Member Author

Native Electron alternative to node-keytar? https://www.electronjs.org/docs/api/safe-storage

@danielweck danielweck mentioned this issue Sep 30, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielweck danielweck

Labels
LCP
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

LCP secrets JSON persistence edrlab/thorium-reader
1 participant
@danielweck