It’s been a rough few months for password managers — though mostly for LastPass. But after revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.
Allegations have been flying that a new vulnerability allows hackers to secretly steal a user’s entire password database in unencrypted plaintext. This is an incredibly serious claim, but the developers of KeePass are disputing it.
KeePass is an open-source password manager that stores its content on a user’s device rather than in the cloud like rival offerings. However, like many other apps, its password vault can be protected with a master password.
The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once this is obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — to an unencrypted plaintext file.
Thanks to the changes made to the XML file, the process is done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then control the exported database on a computer or server.
it won’t be fixed
However, the developers of KeePass have disputed the classification of the process as a vulnerability, as anyone who has access to the device can get their hands on the password database using different (sometimes ingenious) methods. Could
In other words, once someone has access to your device, this type of XML exploit is unnecessary. For example, attackers can install a keylogger to obtain the master password. The line of reasoning is that worrying about such an attack is like bolting a horse and closing the door. If an attacker has access to your computer, fixing the XML exploit won’t help.
The solution, the developers argue, “is to keep the environment secure (using anti-virus software, firewalls, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”
what can you do?
While the developers of KeePass appear reluctant to fix the problem, there are steps you can take yourself. The best thing to do is to create an enforced configuration file. This will take precedence over other configuration files to mitigate any malicious changes made by external forces (such as those used in the database export vulnerability).
You’ll also need to make sure that regular users don’t have write access to any important files or folders contained in the KeePass directory, and that both the KeePass .exe file and the applicable configuration file are in the same folder.
And if you don’t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers out there to keep your login and credit card details more secure than ever.
While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords that are encrypted on all your devices. This is much more secure than using “123456” for each account.
Editors’ Recommendations