Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text

Vulnerability in KeePass

The developers of the open-source password manager KeePass explain that a vulnerability that allows an attacker to steal all user passwords is not so dangerous. The fact is that the developers consider that if an attacker controls your system, then this is no longer your system.

By the way, read: Is It Safe to Use a Password Manager in 2022? And also: Experts have discovered vulnerabilities in popular password managers.

You might also be interested to know that Only 26% of users agreed to change their password when they learned that it was compromised.

KeePass is a popular password manager that allows managing passwords using a locally stored database rather than the cloud like LastPass or Bitwarden. To protect such local databases, users can encrypt them with a master password so that malware or an attacker that has entered the system cannot simply steal the database and automatically gain access to all the data stored there.

A vulnerability found in KeePass (CVE-2023-24055) and allows attackers with write access to the target system to modify the KeePass configuration XML file and inject a malicious trigger into it that will allow the password manager database to be exported, including all usernames stored there and passwords in plain text format.

That is, the next time the victim launches KeePass and enters the master password to open and decrypt the database, the “bookmark” for export will work, and all the contents of the database will be saved in a separate file that attackers can read and steal. In this case, the export process runs in the background without notifying the user and prompting for a master password, which allows the attacker to remain unnoticed.

Even worse, the PoC exploit for CVE-2023-24055 has already been published in the public domain, which makes it much easier for malware developers to update their infostealers and create malware that can steal KeePass databases from compromised devices.

After the vulnerability became known, users are asking the KeePass development team to at least add a mandatory confirmation to the password manager that would be requested before automatically exporting the database, or publish a version of the application that does not contain the export function at all.

It is also proposed to add a custom flag to the program to disable export inside the actual KeePass database, which could be changed only by knowing the master password.

However, the KeePass development team has its own point of view on this matter. In their opinion, CVE-2023-24055 should generally be classified as a vulnerability, given that an attacker who already has write access to the target device can obtain information from the KeePass database in many other ways.

In fact, in the KeePass help center, the problem of accessing the configuration file with write permission has been mentioned repeatedly since at least April 2019. And there, too, it is reported that “this is not a security vulnerability in KeePass.”

Having write access to the KeePass configuration file usually means that an attacker can perform more powerful attacks than simply changing the configuration file (and these attacks will eventually be able to affect KeePass, regardless of the protection of the configuration file). Such attacks can only be prevented by maintaining a secure environment (using antivirus software, a firewall, not opening unknown email attachments, and so on). And KeePass cannot work securely in an insecure environment in some magical way.KeePass developers explain.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *