Open-source password supervisor KeePass has refuted claims that it has a significant safety flaw permitting for undue entry to consumer password vaults.

KeePass is designed primarily for particular person use, moderately than being a enterprise password supervisor. It differs from many common password managers in that it would not retailer its database in cloud servers; as an alternative, it shops them regionally on the consumer’s machine. 

The newly found vulnerability, often known as CVE-2023-24055 (opens in new tab), permits hackers who’ve already gained entry to a consumer’s system to export their complete vault in plain textual content by altering an XML configuration file, utterly exposing all their usernames and passwords.

TechRadar Professional wants you! (opens in new tab)
We wish to construct a greater web site for our readers, and we want your assist! You are able to do your bit by filling out our survey (opens in new tab) and telling us your opinions and views concerning the tech trade in 2023. It should solely take a couple of minutes and all of your solutions shall be nameless and confidential. Thanks once more for serving to us make TechRadar Professional even higher.

D. Athow, Managing Editor

Not our drawback

When the sufferer opens KeePass and enters their grasp password to entry their vault, this can set off the export of the database to a file that the hackers can steal. The method quietly goes about its enterprise within the background, with out notifying KeePass or your working system, so there isn’t a verification or authentication required, leaving the sufferer non the wiser.

Customers on a Sourceforge discussion board (opens in new tab) have requested KeePass to implement the requirement of their grasp password to be inputted earlier than the export is allowed to occur, or to disable the export function by default and requiring the grasp password to reenable it.

A workable exploit of this vulnerability has already been shared on-line, so it is just a matter time earlier than it’s developed additional by malware builders and made widespread. 

Whereas not denying the existence of the CVE-2023-24055 vulnerability, KeePass’s argument is that it can not defend towards risk actors who have already got management of your system. They mentioned that risk actors with write entry to a consumer’s system might steal their password vault through all kinds of means which it couldn’t stop.

It was described as a ‘write entry to the configuration file’ subject again in April 2019, with KeePass claiming that it’s not a vulnerability pertaining to the password supervisor itself.

The builders mentioned that “Having write entry to the KeePass configuration file sometimes implies that an attacker can really carry out way more highly effective assaults than modifying the configuration file (and these assaults in the long run may also have an effect on KeePass, unbiased of a configuration file safety)”.

“These assaults can solely be prevented by protecting the surroundings safe (by utilizing an anti-virus software program, a firewall, not opening unknown e-mail attachments, and so forth.). KeePass can not magically run securely in an insecure surroundings”, they added.

Whereas KeePass will not be keen so as to add any extra protections to stop unauthorized export of the XML file, there’s a workaround customers can attempt. In the event that they login as a consumer administrator as an alternative, then they will create an enforced configuration file, which prevents the triggering of the export. They first should be sure that nobody else has write entry to KeePass recordsdata and directories earlier than they activate the admin account. 

Nonetheless, even this isn’t foolproof, since attackers might run an copy of the KeePass executable in one other listing separate to the place the enforced config file is saved, which signifies that, in accordance with KeePass, “this copy doesn’t know the enforced configuration file that’s saved elsewhere, [therefore] no settings are enforced.”

• Wish to lock down your system tight? Then you need to think about using the perfect safety keys