Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Security Apple

macOS Sonoma Brings Apple Password Manager To Third-Party Browsers (macrumors.com) 19

An anonymous reader quotes a report from MacRumors: The macOS Sonoma update that is in testing allows Mac owners who opt to use Google Chrome, Microsoft Edge, or another browser to use Apple's Password Manager for filling passwords. Developers and public beta testers running macOS Sonoma can use their iCloud Keychain passwords with non-Safari browsers at this time, autofilling passwords and one-time codes. Third-party browsers can also save new passwords.

Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.

This discussion has been archived. No new comments can be posted.

macOS Sonoma Brings Apple Password Manager To Third-Party Browsers

Comments Filter:
  • by dgatwood ( 11270 ) on Wednesday July 12, 2023 @07:36PM (#63681421) Homepage Journal

    Without a lot more detail, the concept of this raises huge red flags for me.

    A critical part of the security model for cloud passwords is that they're only accessible by apps that have permission to access those keychain items, which for all intents and purposes, means Safari and a few specific bits of the operating system. Will this involve keychain dialogs to grant the app permission to see a password, or are they doing an end run around keychain security and granting broad keychain access to a swath of passwords willy nilly? What prevents someone from installing an app that pretends to be Chrome, and using it to exfiltrate passwords?

    It being a Chrome extension likely means that it's a signed blob by Apple that feeds passwords into Chrome's password manager upon request. That makes the fear of someone wrapping it with another app and calling it inappropriately even more likely. In my mind, I'm likening that to a modified "sudo" app that takes no password, runs as root, and can be puppeteered by arbitrary shell scripts running as any user on the system....

    So what steps did they take to protect the security of our passwords as part of implementing this feature? Where's the threat model analysis paper? They did write one, right?

    • Re:Security model? (Score:4, Informative)

      by north_by_midwest ( 7997468 ) on Wednesday July 12, 2023 @08:28PM (#63681501)

      I think you're overthinking this. Every other cloud password manager has a Chrome extension already; not having one would render the products largely useless. The extensions don't feed into the Chrome password manager, they directly operate on web pages, looking for username and password fields and populating them (if you have autofill turned on) based on whatever passwords are bound to that URL.

      I'm not saying implementing a browser extension for a password manager is trivial, but it's a problem that's been solved many times. Knowing a bit about the internal processes at Apple, this feature has certainly been through several rounds of design, security reviews, etc.

    • Without a lot more detail, the concept of this raises huge red flags for me.

      A critical part of the security model for cloud passwords is that they're only accessible by apps that have permission to access those keychain items, which for all intents and purposes, means Safari and a few specific bits of the operating system. Will this involve keychain dialogs to grant the app permission to see a password, or are they doing an end run around keychain security and granting broad keychain access to a swath of passwords willy nilly? What prevents someone from installing an app that pretends to be Chrome, and using it to exfiltrate passwords?

      It being a Chrome extension likely means that it's a signed blob by Apple that feeds passwords into Chrome's password manager upon request. That makes the fear of someone wrapping it with another app and calling it inappropriately even more likely. In my mind, I'm likening that to a modified "sudo" app that takes no password, runs as root, and can be puppeteered by arbitrary shell scripts running as any user on the system....

      So what steps did they take to protect the security of our passwords as part of implementing this feature? Where's the threat model analysis paper? They did write one, right?

      Actually, they've already been field-testing this sort of connection for about 2 years:

      https://appleinsider.com/artic... [appleinsider.com]

    • You can already interact with the keychain from the command line, so I assume anything can delegate that way:
      https://ss64.com/osx/security-... [ss64.com]

      That might require a password to run it, which could be cached unless elevation is required. So thatâ(TM)s the bar to implementing things. Of course, it would be better if the Macâ(TM)s Touch ID were invoked every time, which is what Safari does.

      I think that the evidence is that Apple protects things but provides a way to give individual apps access or enti

      • by dgatwood ( 11270 )

        I think that the evidence is that Apple protects things but provides a way to give individual apps access or entitlements.

        They do. Each keychain item has an ACL. The concern is how this interacts with them.

        Just look at things like Zoom or Slack that even need permissions configured to share the screen.

        That's a completely unrelated mechanism.

        As for why they donâ(TM)t enable this on older Macs - why would they?

        As far as policy questions go, the answer would be because Chrome runs much farther back, and it is generally considered abusive to release an extension that doesn't.

        But I really don't care about that. I'm not going to use it either way, so that's kind of moot. The reason I'm concerned about their version support is that releasing it for only the very latest software update of the

  • You can use Bitwarden and have easy access to your passwords (and secure notes, and credit cards, and ...) in Safari, Firefox, and Chrome on your Mac. AND if you find yourself on a different computer - even one running Windows or Linux - you can still easily access all of that secure information.

  • I love pass [howtogeek.com] and I will probably never be convinced to use anything else unless someone gives me a cool curses TUI for it. I trust shit I can pop the hood on (well, not gnupg, required by 'pass' but I trust that more than some shitty corporate app) and isn't owned by a corporation or government. I can't stand any commercial password managers. I don't like their design or interface choices, and I don't trust their "security by us saying so in an advertisement" street-cred. Apple made yet another questionable
    • These kinds of tools work okayish for single users willing to jump through hoops. For even marginally more complex use cases, the ease of use of cloud-managed password managers more than outweighs the slightly decreased security. Bitwarden for example is still very secure, as well as being open-source, audited, etc. there's even Vaultwarden, an independent reimplementation of their server, available as well as a cli client if that's your thing. It has sophisticated organization support which lets me easily

    • Bitwarden is open source so it has a lot of security pros combing through its source looking for holes.

      Do NOT trust lastpass, theye've dropped the ball and gotten pwned and thats a *very bad* situation.

  • This is pretty cool. As a Firefox user, i hope an extension is in the works. Passkeys everywhere would be amazing.
  • Last time I considered Apple's Password Manager for my parents (who use iPhones, iPads and a Windows laptop), I found that, without an Apple computer, it was impossible to bulk import credentials from ... well ... anywhere - not even a bog standard CSV file was supported. This seemed rather counterproductive, considering that Apple should be making it as easy as possible for people to migrate existing credentials to their service.

    Even more concerning, it was impossible (without buying an Apple computer) to

  • Apple's Password Manager is terrible. Editing entries, importing/exporting, adding notes, it's a nearly complete fail.
    Bitwarden is the way.

  • Iâ(TM)ve used keypass, Lastpass, in the past. and now use Bitwarden. Until APM reaches feature parity with Bitwarden, including being cross platform (unlikely since this is Apple), itâ(TM)s a non-starter for me.

You know you've landed gear-up when it takes full power to taxi.

Working...