You are not logged in.
- Topics: Active | Unanswered
#1 2025-09-18 13:45:58
- seguridad
- Member
- Registered: 2025-09-18
- Posts: 5
chromium and kwallet integration
Hello,
I've noticed that chromium uses kwallet for password storage (otherwise they're stored as plain text).
Each time, chromium asks for the wallet password, alternatively I could install kwallet-pam.
My main question is: if a malicious application is run on my device, could it access the wallet while chromium is running and get the stored passwords, like if they would be stored as plain text?
(or: does kwallet/pam knowns that chromium is trying to access the stored passwords nor another process? how?)
Is there any difference by unlocking the wallet each time, or using kwallet-pam with the user pw as suggested here? What if I use an empty pw instead? ref. https://wiki.archlinux.org/title/KDE_Wa … y_on_login
Some real case scenarios examples and comparison would be really appreciated.
Thanks in advance for the support.
Offline
#2 2025-09-18 20:12:47
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,802
Re: chromium and kwallet integration
Technically yes, if you do not close the wallet, a malicious process could read the info contained therein, generally speaking when a process first tries to get access you will be prompted whether this should be allowed. Afaik this is basically simply a string that the application/malware could set to whatever is "likely" to have already been granted access. So this isn't really going to protect you here.
No whether you explicitly unlock it, or use PAM have no relevance on this. if you use an empty password then the wallet can simply be opened and the protection is just a few additional steps to take.
Ultimately the best way to avoid getting owned is to not run malware at all, if you're doing it for curiosities sake, make sure you have sandboxing/virtualization in place when running something you have reason to suspect to be malware.
Note that chromium just stores a key with which to decrypt it's own password store, so there's a bit more effort involved to get at the actual passwords.Technically the good thing is that chromium just needs to access the wallet once during it's runtime in order to grab the relevant key, so unlocking it for that specific prompt and closing it immediately after, will be fairly safe and you should be on alert if a relevant dialog to open it again pops up despite there not being an explicit reason for it from a chromium perspective.
Offline
#3 2025-09-18 23:58:39
- twelveeighty
- Member
- Registered: 2011-09-04
- Posts: 1,387
Re: chromium and kwallet integration
Also consider the risk of having passwords managed by Chromium vs using an external Password Manager. There are pros and cons to either approach, and there's no "right" way, but a lot of folks prefer to have a layer of separation between the browser and their passwords.
Offline
#4 2025-09-19 08:45:18
- seguridad
- Member
- Registered: 2025-09-18
- Posts: 5
Re: chromium and kwallet integration
Thanks for your replies 
Even if I guess it's unlikely for an attacker to develop something specific for kwallet (rather than steal the chromium file hoping they're in clear text), since they're still accessible I prefer to not "tie" the passwords to the DE.
I'll let chromium store them in plain text and use 2FA for important stuff, or use pass.
Offline