Top password manager denies its entire database can be stolen
Nothing wrong on our end, KeePass claims
Open-source password manager KeePass has refuted claims that it has a major security flaw allowing for undue access to user password vaults.
KeePass is designed primarily for individual use, rather than being a business password manager. It differs from many popular password managers in that it doesn't store its database in cloud servers; instead, it stores them locally on the user's device.
The newly discovered vulnerability, known as CVE-2023-24055, allows hackers who have already gained access to a user's system to export their entire vault in plain text by altering an XML configuration file, completely exposing all their usernames and passwords.
TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
Not our problem
When the victim opens KeePass and enters their master password to access their vault, this will trigger the export of the database to a file that the hackers can steal. The process quietly goes about its business in the background, without notifying KeePass or your operating system, so there is no verification or authentication required, leaving the victim non the wiser.
Users on a Sourceforge forum have asked KeePass to implement the requirement of their master password to be inputted before the export is allowed to happen, or to disable the export feature by default and requiring the master password to reenable it.
A workable exploit of this vulnerability has already been shared online, so it is only a matter time before it is developed further by malware developers and made widespread.
While not denying the existence of the CVE-2023-24055 vulnerability, KeePass's argument is that it cannot protect against threat actors who already have control of your system. They said that threat actors with write access to a user's system could steal their password vault via all sorts of means which it could not prevent.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It was described as a 'write access to the configuration file' issue back in April 2019, with KeePass claiming that it is not a vulnerability pertaining to the password manager itself.
The developers said that "Having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)".
"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment", they added.
While KeePass are not willing to add any additional protections to prevent unauthorized export of the XML file, there is a workaround users can try. If they login as a user administrator instead, then they can create an enforced configuration file, which prevents the triggering of the export. They first have to make sure that no one else has write access to KeePass files and directories before they activate the admin account.
However, even this is not foolproof, since attackers could run an copy of the KeePass executable in another directory separate to where the enforced config file is stored, which means that, according to KeePass, "this copy does not know the enforced configuration file that is stored elsewhere, [therefore] no settings are enforced."
- Want to lock down your system tight? Then you should consider using the best security keys
Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.