2 min

The KeePass team, which created the popular open-source password management software, is disputing a recent discovery of a vulnerability in their software. According to the vulerability report it’s possible to steal passwords by exploiting it.

KeePass helps users store their passwords in a locally stored database that can be encrypted using a master password to prevent theft by malware or threat actors. The new vulnerability, CVE-2023-24055, enables attackers with write access to alter the KeePass XML configuration file and trigger an export of the entire database in plain text.

What is the alleged vulnerability?

The export happens in the background without any notification to the user and is triggered the next time the database is decrypted using the master password. This has led users to ask the KeePass team to either add a confirmation prompt before the export or provide a version of the app that doesn’t have the export feature.

The KeePass team disputes this discovery as a vulnerability, stating that attackers with write access to a target’s device can already obtain the information in the KeePass database through other means. The team has recommended keeping the environment secure, such as using anti-virus software and firewalls, to prevent such attacks.

KeePass says users can take steps to protect themselves

Suppose users still want to secure their databases. In that case, they can create an enforced configuration file as a system admin and ensure regular users don’t have write access to any files/folders in KeePass’ app directory.

However, the KeePass team warns that an enforced configuration file only applies to the KeePass program in the same directory. It will not be enforced if the user runs another copy of KeePass without the file.

The KeePass team argues that this discovery shouldn’t be classified as a vulnerability. However, users can still take steps to secure their databases by creating an enforced configuration file and keeping their environment secure.

Tip: 1Password to offer passwordless login from 2023 onwards