KeePass Vulnerability Allowing Stealthy Password Theft Disputed

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor cant just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a targets system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. This export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. After this was reported and assigned a CVE-ID, users asked the development team behind KeePass to add a confirmation prompt before silent database exports like the one triggered via a maliciously modified configuration file or provide a version of the app that comes without the export feature. Another request is to add a configurable flag to disable exporting inside the actual KeePass database, which could then only be changed by knowing the master password. Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases on compromised devices. While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldnt be classified as a vulnerability given that attackers with write access to a targets device can also obtain the information contained within the KeePass database through other means. A Security Issues page on the KeePass Help Center has been describing the Write Access to Configuration File issue since at least April 2019 as Not really a security vulnerability of KeePass. If the user has installed KeePass as a regular program and the attackers have write access, they can also Perform various kinds of attacks. Threat actors can also replace the KeePass executable with malware if the user runs the portable version. In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file, the KeePass developers explain. These attacks can only be prevented by keeping the environment secure. KeePass cannot magically run securely in an insecure environment. Even if the KeePass developers will not provide users with a version of the app that addresses the export to cleartext via triggers issue, you could still secure your database by logging in as a system admin and creating an enforced configuration file. This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue. Before using an enforced config file, you must also ensure that regular system users do not have write access to any files/folders in KeePass app directory. Theres also one more thing that could allow attackers to work around enforced configurations: using a KeePass executable launched from another folder than the one where your enforced config file was saved. Please note that an enforced configuration file only applies to the KeePass program in the same directory, the KeePass

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 30 Jan 2023 22:10:02 +0000


Cyber News related to KeePass Vulnerability Allowing Stealthy Password Theft Disputed

KeePass Vulnerability Allowing Stealthy Password Theft Disputed - The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. KeePass is a very popular ...
1 year ago Bleepingcomputer.com
KeePass disputes report of flaw that could exfiltrate a database - Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the ...
1 year ago Packetstormsecurity.com
Best of 2023: Another Password Manager Leak Bug: But KeePass Denies CVE - The issue is that KeePass has this weird feature that queues up a cleartext password export for the next time you authenticate. That feature is itself configured via a plain-text config file, writable in the user's security context. An attacker who ...
10 months ago Securityboulevard.com
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
10 months ago Pandasecurity.com
Fake KeePass site uses Google Ads and Punycode to push malware - A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow ...
11 months ago Bleepingcomputer.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
9 months ago Hackread.com
Password-stealing "vulnerability" reported in KeyPass - It's been a newsworthy few weeks for password managers - those handy utilities that help you come up with a different password for every website you use, and then to keep track of them all. At the end of 2022, it was the turn of LastPass to be all ...
1 year ago Nakedsecurity.sophos.com
Best Password Generators of 2024 to Secure Your Accounts - Overview of best password generators to secure online accounts. We have various password generators to help us protect our accounts and practical barriers to protect our sensitive information. We have compiled this list of the best password ...
5 months ago Cyberdefensemagazine.com
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
10 months ago Cybersecurity-insiders.com
Password Advice for the Rest of Us - Cisco Blogs - The key function you’re wanting out of a password manager is the ability to create passwords that are at least twenty (20) characters long, with all the typical mix of letters, numbers and symbols, as well as the ability to create a unique password ...
1 month ago Feedpress.me
6 Best Enterprise Password Managers for 2024 Rated - Password managers are security tools that store, manage, and share authorization credentials safely for individual users and groups. In this article, I evaluate the top password managers and their ability to deliver and support solutions for ...
7 months ago Esecurityplanet.com
Securden Password Vault Review 2024: Security, Pros & Cons - Securden Password Vault is a password management solution geared towards supervising multiple accounts and sensitive login credentials. Yes, Securden Password Vault can be accessed for free. If you're looking for an enterprise-level password solution ...
9 months ago Techrepublic.com
Understand the pros and cons of enterprise password managers - To counter these threats, corporate IT security teams are turning to business-grade password managers to help centralize and streamline password and credential management. A password manager is a credential vault that gives IT teams a unified digital ...
9 months ago Techtarget.com
How to Share a Wi-Fi Password: A Step-by-Step Guide - You can unsubscribe at any ...
1 month ago Techrepublic.com
Open Source Password Managers: Overview, Pros & Cons - There are many proprietary password managers on the market for those who want an out-of-the box solution, and then there are open source password managers for those wanting a more customizable option. In this article, we explain how open source ...
7 months ago Techrepublic.com
LastPass is enforcing some security changes to user accounts - LastPass is making some changes to enhance the security of its to user accounts. The news comes as a follow-up to the company's plans to enforce stronger passwords a few months ago. ADVERTISEMENT. A brief recap of the LastPass security breaches. ...
10 months ago Ghacks.net
Protect your Active Directory from these Password-based Vulnerabilities - Deploying a security solution like Specops Password Policy enhances the protection of passwords, which are frequently exploited as an initial entry point by attackers. In this attack, the perpetrator, typically using a compromised low-level account ...
10 months ago Bleepingcomputer.com
Top 6 LastPass Alternatives for 2024 - LastPass is a popular choice for managing passwords and sensitive information for individuals and businesses. While the tool still enjoys global patronage, it's not a bad idea to consider other password managers that can serve as worthy alternatives ...
9 months ago Techrepublic.com
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide - Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ...
11 months ago Bleepingcomputer.com
American Intellectual Property Theft a $600 Billion Dollar Issue - American Intellectual Property theft is costing the domestic economy as much as $600 billion per year, as reported by the Associated Press, and it appears lawmakers and watchdogs have taken note. Understanding the events that have precipitated the ...
10 months ago Securityzap.com
Android to add new anti-theft and data protection features - Google is introducing multiple anti-theft and data protection features later this year, some available only for Android 15+ devices, while others will roll out to billions of devices running Android 10 and later. To protect your personal and ...
5 months ago Bleepingcomputer.com
ShadowRay Vulnerability: 6 Lessons for AI & Cybersecurity - This exposure is under active attack, yet Ray disputes that the exposure is a vulnerability and doesn't intend to fix it. The dispute between Ray's developers and security researchers highlights hidden assumptions and teaches lessons for AI security, ...
6 months ago Esecurityplanet.com
70 million account credentials were leaked in a massive password dump - A security researcher has unearthed what appears to be one of the biggest password dumps ever. Over 70 million unique credentials have been leaked on the dark web. ADVERTISEMENT. The news came to light when Troy Hunt, the owner of the popular breach ...
9 months ago Ghacks.net
How Hackers Could Know Your Password – Even If It's Stolen Already - A data breach can feel like a personal violation, with your personal data, such as passwords, credit card details, or even conversations and photographs being stolen and shared online. While it can be difficult to protect yourself from a security ...
1 year ago Nakedsecurity.sophos.com
Graduation to Adulting: Navigating Identity Protection and Beyond! - There's one first you might not have considered: your first identity protection plan. Imagine this: you're building your credit score, applying for a credit card, or renting your first apartment. These milestones are crucial, but they also make you a ...
6 months ago Webroot.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)