mechvibes icon indicating copy to clipboard operation
mechvibes copied to clipboard

Published 20 hours ago verified publisher icon hainguyents13

Is mechvibes a keylogger?

Open KostiaChorny opened this issue 3 years ago • 4 comments

Hi there,

It might be a stupid question (sorry), but how it actually works? As I understand, app installs global system hook on keyboard events, so it can potentially log all keystrokes and send it anywhere. Is there any guarantee that app is not capable to steal my passwords and credit card numbers?

Thank you a lot

KostiaChorny avatar Sep 06 '22 13:09 KostiaChorny

You never know what a binary does on your computer. You can find out using tools like SysInternals applications and debuggers, but it's not trivial and certainly not easy. And we are talking about an application that is not trying to be sneaky.

But here comes the great part about MechVibes!

The program is literally open-source that YOU yourself can compile and then run the executable. You can check the source code yourself, check what the program is doing, even make changes if you wish and then compile it and run for yourself.

Balls0fSteel avatar Sep 07 '22 16:09 Balls0fSteel

super thanks @Balls0fSteel @KostiaChorny You have my words, it's not a keylogger. The only thing that Mechvibes requests from the remote server is getting the version number from github for the update, nothing is being sent from your computer. In the next version of Mechvibes, It will request more than the version number, such as new sound-packs from Mechvibes cdn...

hainguyents13 avatar Sep 07 '22 16:09 hainguyents13

@Balls0fSteel @hainguyents13 Thank you for the answer! It's a great opportunity to improve skills in JS for me.

As far as I know, in Electron app all source code is open and can be modified. Is it possible to sign the application, so it can't be changed after build. Without the signature, other malicious software or some nasty joker can change the code of installed app and send the keystrokes anywhere.

KostiaChorny avatar Sep 07 '22 20:09 KostiaChorny

dude, just reverse code and check this out

ogbozoyan avatar Sep 18 '22 18:09 ogbozoyan

nah its safe, but in general its good practice to block internet access for fully offline apps like this, as even if it was it couldn't do anything.

Simplewall's pretty convenient for this as it gives a yes/no prompt the first time a service/app tries to access the internet, and just adds a rule to windows firewall depending on the option chosen. Or opensnitch if you use linux,

t3dium avatar Oct 07 '22 20:10 t3dium

Thank you all, just wanted to draw attention to security questions, which are usually ignored

KostiaChorny avatar Oct 07 '22 22:10 KostiaChorny