in ,

This huge password manager exploit may never get fixed

Password managers have had a rough few months, though largely LastPass. But now that it’s known that LastPass had a significant security breach, focus is shifting to open-source password manager KeePass.

There have been numerous claims that a recent flaw enables hackers to covertly take a user’s complete password database in plaintext. That is a very severe accusation, but KeePass’s creators refute it.

KeePass is an open-source password manager that maintains its data locally, as opposed to on the cloud like competing products do. However, its password vault can be secured by a master password, just like many other programmed.

Anyone with write access to a user’s system can exploit the vulnerability, identified as CVE-2023-24055. Once they have it, a threat actor can add commands to the KeePass XML configuration file that cause the software to automatically export its database, which contains all usernames and passwords, into an unencrypted plaintext file.

The process is completed automatically and in the background as a result of the modifications made to the XML file, thus users are not informed that their database has been exported. Once the database has been exported, the threat actor can extract it to a machine or server under their control.

It won’t be fixed

The designation of the procedure as a vulnerability, however, has been contested by the KeePass developers because anyone with write access to a device can access the password database using additional (and occasionally simpler) techniques.

In other words, this kind of XML hack is unneeded once someone has access to your device. A keylogger could be installed by attackers to obtain the master password, for example. According to this line of thinking, worrying about an attack of this nature is equivalent to closing the door after the horse has run. Fixing the XML exploit won’t assist if an attacker has gained access to your machine.

The developers contend that “keeping the environment secure” is the answer (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot operate securely by magic in an unsafe setting.

What can you do?

Although KeePass’s developers don’t seem willing to address the problem, there are things you can do on your own. The best course of action is to establish a configuration file that is enforced. Other configuration files will be superseded by this, preventing dangerous alterations from external influences (such as that used in the database export vulnerability).

Additionally, you must ensure that the enforced configuration file and the KeePass.exe file are located in the same folder and that regular users do not have write access to any crucial files or folders located within the KeePass directory.

There are several alternatives if you don’t feel comfortable sticking with KeePass. To keep your login information and credit card information secure than ever, consider switching to one of the top password managers.

Even while this is likely more negative news for the password management industry, these programmes are still valuable. They may assist you in making secure, one-of-a-kind passwords that are encrypted across all of your devices. Compared to using “123456” for each account, that is more safer.