{"id":603083,"date":"2023-01-31T07:49:31","date_gmt":"2023-01-31T13:49:31","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/31\/this-huge-password-manager-exploit-may-never-get-fixed\/"},"modified":"2023-01-31T07:49:31","modified_gmt":"2023-01-31T13:49:31","slug":"this-huge-password-manager-exploit-may-never-get-fixed","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/31\/this-huge-password-manager-exploit-may-never-get-fixed\/","title":{"rendered":"This huge password manager exploit may never get fixed"},"content":{"rendered":"
\n

It\u2019s been a bad few months for password managers \u2014 albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach<\/a>, attention is now turning to open-source manager KeePass.<\/p>\n

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user\u2019s entire password database in unencrypted plaintext. That\u2019s an incredibly serious claim, but KeePass\u2019s developers are disputing it.<\/p>\n

\"A
Stock Depot\/Getty Images<\/a><\/span><\/figcaption><\/figure>\n

KeePass is an open-source password manager<\/a> that stores its contents on a user\u2019s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.<\/p>\n

The vulnerability, logged as CVE-2023-24055<\/a>, is available to anyone with write access to a user\u2019s system. Once that\u2019s been obtained, a threat actor can add commands to KeePass\u2019s XML configuration file that automatically export the app\u2019s database \u2014 including all usernames and passwords \u2014 into an unencrypted plaintext file.<\/p>\n

Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.<\/p>\n

<\/a>It won\u2019t be fixed<\/h2>\n
\"A
Getty Images<\/a><\/span><\/figcaption><\/figure>\n

However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.<\/p>\n

In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won\u2019t help.<\/p>\n

The solution, the developers argue, is \u201ckeeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.\u201d<\/p>\n

<\/a>What can you do?<\/h2>\n
\"password<\/figure>\n

While KeePass\u2019s developers appear unwilling to fix the issue, there are steps you can take yourself. The best thing to do is to create an enforced configuration file<\/a>. This will take precedence over other config files, mitigating any malicious changes made by outside forces (such as that used in the database export vulnerability).<\/p>\n

You\u2019ll also need to make sure regular users do not have write access to any important files or folders contained within the KeePass directory, and that both the KeePass .exe file and the enforced configuration file are in the same folder.<\/p>\n

And if you don\u2019t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers<\/a> to keep your logins and credit card details safer than ever.<\/p>\n

While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords<\/a> that are encrypted on all your devices. That\u2019s far safer than using \u201c123456\u201d for every account<\/a>.<\/p>\n

\n

\n\t<\/p>\n

\n

\n\t\t\tToday’s tech news, curated and condensed for your inbox\t\t<\/p>\n

\n

<\/i>
\n\t\t\t\t
\n\t\t\t\t\tCheck your inbox!\t\t\t\t<\/span>\n\t\t\t<\/p>\n

\n

\n\t\t\t\t\tPlease provide a valid email address to continue.\t\t\t\t<\/p>\n

\n\t\t\t\t\tThis email address is currently on file. If you are not receiving newsletters, please check your spam folder.\t\t\t\t<\/p>\n

\n\t\t\t\t\tSorry, an error occurred during subscription. Please try again later.\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n

\n\tEditors’ Recommendations<\/h4>\n