Skip to main content

This huge password manager exploit may never get fixed

It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

KeePass is an open-source password manager that stores its contents on a user’s device, rather than in the cloud like rival offerings. Like many other apps, however, its password vault can be protected with a master password.

The vulnerability, logged as CVE-2023-24055, is available to anyone with write access to a user’s system. Once that’s been obtained, a threat actor can add commands to KeePass’s XML configuration file that automatically export the app’s database — including all usernames and passwords — into an unencrypted plaintext file.

Thanks to the changes made to the XML file, the process is all done automatically in the background, so users are not alerted that their database has been exported. The threat actor can then extract the exported database to a computer or server they control.

It won’t be fixed

A depiction of a hacker breaking into a system via the use of code.
Getty Images

However, the developers of KeePass have disputed the classification of the process as a vulnerability, since anyone who has write access to a device can get their hands on the password database using different (sometimes simpler) methods.

In other words, once someone has access to your device, this kind of XML exploit is unnecessary. Attackers could install a keylogger to get the master password, for instance. The line of reasoning is that worrying about this kind of attack is like shutting the door after the horse has bolted. If an attacker has access to your computer, fixing the XML exploit won’t help.

The solution, the developers argue, is “keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

What can you do?

password manager lifestyle image
Image used with permission by copyright holder

While KeePass’s developers appear unwilling to fix the issue, there are steps you can take yourself. The best thing to do is to create an enforced configuration file. This will take precedence over other config files, mitigating any malicious changes made by outside forces (such as that used in the database export vulnerability).

You’ll also need to make sure regular users do not have write access to any important files or folders contained within the KeePass directory, and that both the KeePass .exe file and the enforced configuration file are in the same folder.

And if you don’t feel comfortable continuing to use KeePass, there are plenty of other options. Try switching to one of the best password managers to keep your logins and credit card details safer than ever.

While this is undoubtedly more bad news for the world of password managers, these apps are still worth using. They can help you create strong, unique passwords that are encrypted on all your devices. That’s far safer than using “123456” for every account.

Editors' Recommendations

Alex Blake
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
If you use this free password manager, your passwords might be at risk
Office computer with login asking for password and username.

Researchers have just found a flaw within Bitwarden, a popular password manager. If exploited, the bug could give hackers access to login credentials, compromising various accounts.

The flaw within Bitwarden was spotted by Flashpoint, a security analysis firm. While the issue hasn't received much -- or any -- coverage in the past, it appears that Bitwarden was aware of it all along. Here's how it works.

Read more
LastPass reveals how it got hacked — and it’s not good news
A depiction of a hacker breaking into a system via the use of code.

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down -- and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Read more
The best password managers for 2023
have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we

If you're still copying and pasting passwords from a notepad, it's time to better protect your accounts online. That's where password managers come in, which give you a single master password to both simplify and secure your accounts.
But knowing which to sign up for isn't just as simple as looking down the feature list and price. Recent hacks and data leaks mean you need to be extra careful about which one you use.

1Password (Windows, Mac, iOS, Android, Linux, and Chrome OS)

Read more