Top password manager denies its entire database can be stolen
>
Open-source password manager KeePass has refuted claims that it has a major security flaw that allows unauthorized access to users’ password vaults.
KeePass is primarily designed for individual use, rather than being a corporate password manager. It differs from many popular password managers in that it does not store its database in cloud servers; instead, it stores them locally on the user’s device.
The newly discovered vulnerability, known as CVE-2023-24055 (opens in new tab)allows hackers who have already gained access to a user’s system to export their entire vault in plain text by modifying an XML configuration file, making all of their usernames and passwords fully visible.
Not our problem
When the victim opens KeePass and enters their master password to access their vault, the database is exported to a file that the hackers can steal. The process continues quietly in the background, without notifying KeePass or your operating system, so no verification or authentication is required, leaving the victim none the wiser.
Users on one Sourceforge forum (opens in new tab) have asked KeePass to implement the requirement that their master password must be entered before the export is allowed to take place, or to disable the export feature by default and require the master password to re-enable it.
A usable exploit of this vulnerability has already been shared online, so it is only a matter of time before it is further developed by malware developers and becomes widespread.
While the existence of the CVE-2023-24055 vulnerability is not denied, KeePass’s argument is that it cannot protect against threat actors that already have control over your system. They said attackers with write access to a user’s system could steal their password vault in a variety of ways it couldn’t prevent.
It was described as a ‘write access to the configuration file’ issue in April 2019, with KeePass claiming that it is not a vulnerability related to the password manager itself.
The developers said that “Having write access to the KeePass config file generally implies that an attacker can actually perform far more powerful attacks than modifying the config file (and these attacks can ultimately affect KeePass as well, independent of any config file security)”.
“These attacks can only be prevented by keeping the environment secure (using antivirus software, a firewall, not opening unknown email attachments, etc.). KeePass magically cannot operate securely in an insecure environment,” they added.
While KeePass is unwilling to add additional protections to prevent unauthorized export of the XML file, there is a workaround that users can try. Instead, if they log in as a user administrator, they can create an enforced configuration file, which prevents the export from triggering. They must first ensure that no one else has write access to KeePass files and folders before activating the administrator account.
But even this isn’t foolproof, as attackers can run a copy of the KeePass executable in a different directory than where the enforced config file is stored, meaning that, according to KeePass, “this copy doesn’t know the enforced config file that is stored elsewhere , [therefore] no settings are enforced.”
- Want to lock your system tight? Then consider using the best security keys