An alleged security breach in the KeePass password manager has been refuted by the developers themselves, while experts point to it as an attack vector against users. Through the opening, attackers can manipulate the software’s configuration files and export the bank of saved credentials as soon as the user logs in, having access to the data without any protection.
- 8 tips to keep your passwords safe
- World Password Day: Know the Worst Passwords You Should Never Use
The flaw, tracked as CVE-2023-24055, requires the perpetrator to have write access to the device on which KeePass is installed, something that can be obtained through malware, remote access and direct intrusions. Afterwards, it would be enough to inject a malicious command into the manager’s configuration file so that the password bank is exported at the user’s next login, in the background and without him knowing that the compromise has taken place.
The opening has already been proven in proofs of concept and became a reason for the alert of CERT units (Center for Studies, Response and Treatment of Security Incidents) in countries such as Belgium and the Netherlands. Meanwhile, users request that the team responsible for KeePass release updates that solve the problem or, at least, disable the password bank export feature or add notifications related to it.
While there are no records of cybercriminal attacks targeting users, the news comes at a bad time for password manager users, who are still reeling from recent incidents with LastPass. One of the main names in the market was the victim, last year, of scams that led to the exposure of source codes and other elements that could put user security at risk.
KeePass, however, was considered a secure alternative because it was offline, allowing users to manage their passwords disconnected from the cloud, which would reduce the risk of exposure. Open source, the free program has a Windows version, conversions for macOS and mobile made by the community and also a portable edition, which can be taken anywhere on a USB drive. According to the project’s developers, however, there is no reason to panic.
Failure is widespread and affects any app, say those responsible
According to the KeePass developers, if an attacker has write access to a device, he can perform different malicious activities, not restricted to just the password manager. They believe that the security breach should not be considered as such, much less restricted to software, as other means besides export could also be used to gain access to user data.
They cite, for example, the deployment of malware to record typed information or even replacing the KeePass executable with a malicious version — all resulting from the compromise of the machine, and not the app itself. The developers point out that the problem now seen as an alleged flaw has been commented on by the company since 2019 in security reports.
Still according to those responsible, KeePass cannot work in a “magically” safe way in a compromised environment. Therefore, the recommendation is to use antivirus and other security solutions, as well as updating software and operating systems, in addition to being careful with downloads, attached files, malicious websites and other common vectors of compromise. Advanced users can also work with the manager settings locally, mitigating the possibility of database export mentioned in CVE-2023-24055.