KeePassium icon indicating copy to clipboard operation
KeePassium copied to clipboard
verified publisher icon keepassium

Security concern/risk: Keepassium requests too many privileges (full access) in OneDrive

Open slava-uxd opened this issue 2 years ago • 13 comments

What can be improved? I was shocked when Mircosoft Authenticator showed this when I was adding OneDrive server connection:

Have full access to all files you have access to KeePassium will be able to read, create, update and delete all OneDrive files that you can access.

This is an immediate red flag and a major security concern due to potential damage in case of a breach.

For its functionality KeePassium really only needs read, create, update and delete access on selected folder(s), where it can read/update the password database file and create/delete backups. There is absolutely no need to allow the app read, create, update and delete all OneDrive files.

The solution you'd like According to OneDirve API Docs a Files.ReadWrite.AppFolder privilege exists. Please use (or allow to choose) this option. Or find another way to downgrade the access privileges to folder level in order to enforce damage control in case of a breach.

Alternatives you've considered Alternative solution is not to use Keepassium. We do not want this alternative.

slava-uxd avatar Mar 28 '23 10:03 slava-uxd

Thank you for the feedback.

Let's review all the available ReadWrite OneDrive API permissions.

  • Files.ReadWrite.Selected: Read and write files that the user selects.
    • Microsoft remark: Limited support in Microsoft Graph. (…) Should not be used for directly calling Microsoft Graph APIs.
    • This is the one KeePassium really needs: access to a single user-selected file. But Microsoft's remark above explicitly dissuades from using it.
  • Files.ReadWrite.AppFolder: (Preview) Allows the app to read, create, update, and delete files in the application's folder.
    • Microsoft remarks: The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts
    • This does not solve the problem for most sensitive users (corporate accounts).
  • Files.ReadWrite: Allows the app to read, create, update, and delete the signed-in user's files.
    • This is where we started. However, this permission excludes shared files for business accounts (#273).
  • Files.ReadWrite.All: Allows the app to read, create, update, and delete all files the signed-in user can access.
    • This is the widest permission. But as far as I can see, this is the smallest permission that satisfies all the requirements:
      • Works for personal and business accounts
      • Allows access to a shared file
      • Works via Graph API

The most secure alternative is to use OneDrive via Files app. The stability of this approach depends on OneDrive which had issues lately (#256). And this is completely impossible in a corporate environment where OneDrive applies Intune's data protection policies.

I am all open for suggestions…

keepassium avatar Mar 28 '23 13:03 keepassium

I guess this is settled, then.

keepassium avatar Apr 20 '23 06:04 keepassium

Hi, I hope that it's OK to comment on this issue again. As a user with a database on a personal OneDrive account, I would strongly favorFiles.ReadWrite.AppFolder would as the default for the "+ > Connect to Server > OneDrive" (i.e., personal OneDrive) option.

It's a shame that this does not cover the corporate use-case. However, I am sure that there is a substantial user base with KBDX files on personal OneDrives. Windows 11 is tightly integrated with OneDrive and I expect that a substantial portion of Windows Keypass users with iPhones will have the same needs.

Shall we re-open this issue? I'm also happy to create a new issue.

cedricdonie avatar Jun 03 '23 20:06 cedricdonie

However, I am sure that there is a substantial user base with KBDX files on personal OneDrives.

@cedricdonie , I would assume most OneDrive Personal users just don't care… And if AppFolder were to become the default setting, this would definitely flood me with "it does not work" emails. That said, I am fine with offering AppFolder as an option.

There is also an idea (to be confirmed) how to limit the requested permissions for everyone, so yes, let's reopen.

keepassium avatar Jun 05 '23 09:06 keepassium

However, I am sure that there is a substantial user base with KBDX files on personal OneDrives.

@cedricdonie , I would assume most OneDrive Personal users just don't care…

It might be correct that (sadly) most personal users just don't care. Then again, a lot of KeePassium users will be security-conscious and would not give any app access to all their documents which is a substantial risk for a breach.

And if AppFolder were to become the default setting, this would definitely flood me with "it does not work" emails. That said, I am fine with offering AppFolder as an option.

As an "advanced" or even somewhat hidden option would be fine for me. It didn't take long to find this GitHub issue via Google and I am sure that other users would also find it.

There is also an idea (to be confirmed) how to limit the requested permissions for everyone, so yes, let's reopen.

That sounds great 👍. I would be fine with either limiting access to a single file or limiting access to a single folder (and optionally, subfolders recursively).

cedricdonie avatar Jun 05 '23 11:06 cedricdonie