Password Safe storage tweak


Is it possible to change values stored by my plugin on Password safe storage, ouside my plugin?

I'm storing plugin activation data on PasswordSafe, so I'm trying to determine if this is safe. I don't want any user to open that storage outside the plugin, and change that data.

Comment actions Permalink

The default storage format depends on the OS as described here: Persisting Sensitive Data. Passwords are stored in the file system, but encrypted.

Comment actions Permalink

Tahnks for your answer Jakub Chrzanowski, but is it possible for me (as a user) to get access to add or edit the keys to fool the plugin activation?

The use case is features activation. The user gets a signed token and the plugin validates it and if valid, it parses and stores (with PasswordSafe) the data, so it doesn't need to validate and parse the token every time. If some specific data is stored and with some specific value, the feature is active, but if it's not present or its value is not correct, the feature is not available to the user.

As a user of the plugin, I managed to change stored data, but the only effect is to deactivate a feature, as the plugin doesn't store any data if the feature is not activated. Also as a user, I couldn't add the data externally so I can activate a feature without providing any valid token... but I'm not any kind of "hacker", so maybe it is possible.

Another thing that bothers me as the plugin developer, is that I need to ask the user to enable password storage on IntelliJ to have the plugin "activated"  between restarts.

Maybe, there's another way to store the activation data so the plugin user can not hack it, or maybe the safest solution is to validate and parse the token every time the plugins needs to check for a feature status.... any ideas on this?

BTW, I'm working on ubuntu... I don't know what will happen on aother OS

Comment actions Permalink

The actual implementation used to store can be reviewed in com.intellij.ide.passwordSafe.impl.PasswordSafeImpl (KeePass)

Please note, users can change setting in Settings/Preferences | Appearance & Behavior | System Settings | Passwords


Please sign in to leave a comment.