It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.
Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.
KeePass is an open-source password manager that stores its contents on a user’s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.
The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once that’s been obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — into an unencrypted plaintext file.
Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.
It won’t be fixed
However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.
In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won’t help.
The solution, the developers argue, is “keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”