Open snrkl opened 6 months ago
that provide auto-detection of Yubikey etc. (this only occurs for me when there is a yubikey plugged in)
We do that using standard USB methods, nothing fancy there.
@phoerious I am not aware of a new permission for macOS. Have you seen this?
@snrkl this is odd
I was able to reliably trigger it on launch of 2.7.7 on 2 different macs. The yubikey was the trigger (as one of them has been running 2.7.7 since it first shipped, but only triggered the prompt once I launched it with a yubikey inserted)
Apple keeps adding implicit permission requests to some APIs. This is probably for auto type.
This one is different than the auto-type requests, it's basically saying keepassxc is a listener to all app keystrokes. It may be because we are polling for HID devices (which a Yubikey is one) and apple thinks we are a new keyboard?
What version of macOS are you running?
happened on Version 13.6.4 (22G513) (both machines)
Noticed the same after upgrading KeePassXC to version 2.7.7
Running macOs 14.4.1 (23E224)
Just saw this now and clicked "Deny", made me suspicious so looked it up and here I am...
Summary
After upgrading to KeePassXC 2.7.7 I was presented with a dialogue where KeePassXC was requesting access to monitor all keyboard inputs.
A little sleuthing (https://github.com/keepassxreboot/keepassxc/issues/4613) leads me to believe that this is connected to the new features in 2.7.7. that provide auto-detection of Yubikey etc. (this only occurs for me when there is a yubikey plugged in)
It would be good if this was explained at launch time, so that the user can:
For example, as this instance I am running does not use my yubikey (or equivalent device), I have not provided it with "Monitor Inputs" privileges.
Examples
[ INFO ] [ In order for KeePassXC to use ] [ your Yubikey, we need you to ] [ Grant the "Monitor Inputs" OSX ] [ system permission. We need ] [ because {reasons}. If you don't ] [ give permission, then {results} ] [ will happen... ] [ {GRANT} {DENY} ]
Context
I feel that apps that seemingly ask for permissions out of the blue with no explanation or justification is just teaching users to blindly undo years of security defence in depth work done at the Operating System level.
I believe that security focused applications like password vaults should be the best behaved citizens of the security privilege world, so that we aren't re-enforcing bad patterns of user behaviour that can be abused by malicious actors.