Headline
CVE-2023-24055: KeePass / Feature Requests / #2773 Improve the security of password exports
** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor’s position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Why people trust keepass so they use it instead of a spreadsheet ? perhaps because it is supposed to provide additional security, simply by clicking on the ‘install’ button.
And how many know that by default a simple text editor (not a spyware) will configure keepass to export, the next time they open it, all passwords in clear text without notification or confirmation?
And above all why don’t you say on your homepage : "An attacker who has write access to the KeePass configuration file can modify it maliciously and can access all your passwords" ?
If you write "These attacks can only be prevented by keeping the environment secure", in this case why do I need keepass ?
Related news
A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early
A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news