A couple of ideas for the forums and for KM itself


#1

Here are a couple of ideas that would be neat to have, but more importantly a security patch.

  1. When a macro file is uploaded, parse the file and build HTML output that represents the same as what is shown in KM editor. This would remove the need for the user to also upload a screen shot of the KM editor window. It would also show the actual content of the macro file.
    Obviously that will take quite a bit of forum/coding work but it would be very neat. :slight_smile:
    If so, please always put it within expand/hidden blocks

  2. (Even if #1 could be done,) when a macro file is uploaded, parse and edit it to remove the triggers and set the group to be a “sandbox”.

  3. In KM itself, any imported macro is always put into a “sandbox” group (even if it didn’t go through #2), which is always disabled. Macros in the sandbox can’t be enabled or run until the user puts it into another group.

  4. Along with #3, always strip out the macro’s trigger during import into KM.

If #3 and #4 don’t happen, it is possible for someone to post a malicious macro script to the forums pretending it is a helpful macro.

Friendly, Helpful Macro.kmmacros (3.3 KB)

For example, here is my “Friendly, Helpful Macro” which shows a text box of what could be a super nasty macro that deletes all of your files! This macro file is configured to import into the Global Macro Group (which is likely to be enabled) and to run every second. This means as soon as the user double clicks on it to import into KM, it immediately runs.

Of course you might say to yourself “what kind of person would blindly run/import a macro without checking it first?” and I bet if you were to run a poll, 99% of the userbase has assumed good intentions of the other KM users and have imported a macro without checking it first.

Sorry for exposing potential dark intentions with KM but such is my day job so I feel compelled to point it out in other apps too.


#2

@Onan, and others:

You might be interested in this great app by forum friend @DanThomas, which intercepts the KM Macro import process, and allows the user to disable and/or remove all triggers.

Macro Import Manager Lite (MIM Lite) v1.0


#3

Very nice. I created a similar hack for my own use but I’ll probably switch over to his app.
At least until Peter can add something like MIM Lite’s functionality included in the app and on the forum uploads.

Thanks


#4

Keyboard Maestro has the ability to import macros disabled, and this is expanded in 8.0.

Deleting triggers and even disabling them deletes useful information - a lot of shared macros have useful triggers. Macros are also shared in macro groups, which makes the concept of a sandbox rather difficult.

Yes, it is absolutely possible for someone to post a malicious macro, so no one should install a macro unless they trust the source. However even all the precautions you suggest would simply hide the issue with a false sense of security - that same 99% of the userbase would import the macro and promptly move it out of the sandbox, add a trigger and run the macro because that is what they downloaded it for in the first place. 90% of users would not have understood the script you posted even if they had looked at it, and that is without any attempt to obfuscate what it does.

The only real solution would be some form of codesigning of macros and a trust system, something that has proved almost intractable for the whole tech industry, and frequently fails to avert harm, so it is not really a challenge I feel I am up to solving.

I could change Keyboard Maestro to import macros disabled by default, but that would almost certainly just frustrate users and train them to re-enable them / force them imported enabled.


#5

Peter, IMO this should be at least an option the user can set in Preferences.

Here’s another idea. I don’t know how practical it is to implement, but I think it would be very helpful.

  1. When you export a macro or action, include the user’s name and modified date.
  • Then when you import a macro if the current Mac user is NOT the same user in the macro, show a popup asking the user to confirm the import.
  • Something like @DanThomas’ MIM Lite would work.


#6

How/Where is this option set? I couldn’t find it in the KM Preferences or as advanced options in the Plists.

So that information isn’t lost by deleting triggers, KM could insert a Comment block at the top of the macro that contains information modified during the import.

  • Title: IMPORTANT! Modifications made to this macro during import
  • Content: For your safety, the following changes were made to the macro during import.
  • Set to Disabled state. Select View>Toggle Enable menu to re-enable.
  • Triggers Removed:
    • Hot key “⌘⇧T” is pressed
    • Timed (Every 33 seconds, between 1:14am and 2:42am, on MWF)

You could even add in a button for the user to click to re-instate the original settings.


#7

It’s not a preference.

https://wiki.keyboardmaestro.com/manual/Macros

If you are at all uncertain about the source of the macros, hold all the modifiers (Command, Control, Option, Shift) down when importing the macros and the macro will be imported disabled.

If the macro isn’t signed, then anyone could make the author anything, so, for example, if they make it “DanThomas”, then you’re likely to trust it.

Once you assume you are trying to battle malicious people, then you have to assume they have malicious intent, so they will work to thwart whatever safeguards are in place, and they will do that at a level far above the typical user.

I’ll go back again and see what I can do that might be beneficial, but as I mentioned, it is largely an intractable problem that has not been well solved anywhere at any level, and certainly not without significant negative consequences as well.


#8

Peter, my thought is that KM would use the Mac User Name, and encrypt it in the KM Macro export. Granted this is not fool-proof, but I think it might keep macros written many would-be black-hats from being triggered in the users’ KM environment.

My assertion is that few KM users actually import their own macros. Even as a KM power user, I rarely do this. So, if when attempting an import of a KM macro, the user is notified that the owner is NOT him/herself, it might prevent execution of malware.

I now upload ALL of my macros in a “disabled” state. I have not had any complaints about this.