The developers of the open-source password manager KeePass explain that a vulnerability that allows an attacker to steal all user passwords is not so dangerous. The fact is that the developers consider that if an attacker controls your system, then this is no longer your system.
By the way, read: Is It Safe to Use a Password Manager in 2022? And also: Experts have discovered vulnerabilities in popular password managers.
You might also be interested to know that Only 26% of users agreed to change their password when they learned that it was compromised.
KeePass is a popular password manager that allows managing passwords using a locally stored database rather than the cloud like LastPass or Bitwarden. To protect such local databases, users can encrypt them with a master password so that malware or an attacker that has entered the system cannot simply steal the database and automatically gain access to all the data stored there.
A vulnerability found in KeePass (CVE-2023-24055) and allows attackers with write access to the target system to modify the KeePass configuration XML file and inject a malicious trigger into it that will allow the password manager database to be exported, including all usernames stored there and passwords in plain text format.
That is, the next time the victim launches KeePass and enters the master password to open and decrypt the database, the “bookmark” for export will work, and all the contents of the database will be saved in a separate file that attackers can read and steal. In this case, the export process runs in the background without notifying the user and prompting for a master password, which allows the attacker to remain unnoticed.
Even worse, the PoC exploit for CVE-2023-24055 has already been published in the public domain, which makes it much easier for malware developers to update their infostealers and create malware that can steal KeePass databases from compromised devices.
After the vulnerability became known, users are asking the KeePass development team to at least add a mandatory confirmation to the password manager that would be requested before automatically exporting the database, or publish a version of the application that does not contain the export function at all.
It is also proposed to add a custom flag to the program to disable export inside the actual KeePass database, which could be changed only by knowing the master password.
However, the KeePass development team has its own point of view on this matter. In their opinion, CVE-2023-24055 should generally be classified as a vulnerability, given that an attacker who already has write access to the target device can obtain information from the KeePass database in many other ways.
In fact, in the KeePass help center, the problem of accessing the configuration file with write permission has been mentioned repeatedly since at least April 2019. And there, too, it is reported that “this is not a security vulnerability in KeePass.”