Top password manager denies its entire database can be stolen

KeePass logo padlock
(Image credit: KeePass)

Open-source password manager KeePass has refuted claims that it has a major security flaw allowing for undue access to user password vaults.

KeePass is designed primarily for individual use, rather than being a business password manager. It differs from many popular password managers in that it doesn't store its database in cloud servers; instead, it stores them locally on the user's device. 

The newly discovered vulnerability, known as CVE-2023-24055, allows hackers who have already gained access to a user's system to export their entire vault in plain text by altering an XML configuration file, completely exposing all their usernames and passwords.

<a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"">TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=Q0+ZHk1v+seerVJPB3MBeiu8DEMDIBDHisYB81cDeXB+Tl4/OZ5giQDtZEDgULgE" data-link-merchant="project.tolunastart.com"" data-link-merchant="project.tolunastart.com"">our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Not our problem

When the victim opens KeePass and enters their master password to access their vault, this will trigger the export of the database to a file that the hackers can steal. The process quietly goes about its business in the background, without notifying KeePass or your operating system, so there is no verification or authentication required, leaving the victim non the wiser.

Users on a Sourceforge forum have asked KeePass to implement the requirement of their master password to be inputted before the export is allowed to happen, or to disable the export feature by default and requiring the master password to reenable it.

A workable exploit of this vulnerability has already been shared online, so it is only a matter time before it is developed further by malware developers and made widespread. 

While not denying the existence of the CVE-2023-24055 vulnerability, KeePass's argument is that it cannot protect against threat actors who already have control of your system. They said that threat actors with write access to a user's system could steal their password vault via all sorts of means which it could not prevent.

It was described as a 'write access to the configuration file' issue back in April 2019, with KeePass claiming that it is not a vulnerability pertaining to the password manager itself.

The developers said that "Having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)".

"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment", they added.

While KeePass are not willing to add any additional protections to prevent unauthorized export of the XML file, there is a workaround users can try. If they login as a user administrator instead, then they can create an enforced configuration file, which prevents the triggering of the export. They first have to make sure that no one else has write access to KeePass files and directories before they activate the admin account. 

However, even this is not foolproof, since attackers could run an copy of the KeePass executable in another directory separate to where the enforced config file is stored, which means that, according to KeePass, "this copy does not know the enforced configuration file that is stored elsewhere, [therefore] no settings are enforced."

  • Want to lock down your system tight? Then you should consider using the best security keys
Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 


His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.


He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.