Kypass reviews3/20/2023 “KeePass cannot magically run securely in an insecure environment.” “These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, or not opening unknown email attachments,” said Reichl. Reichl pointed out that these attacks in the end can also affect KeePass, independent of a configuration file protection. The victim can then open the KeePass normally, saving changes, for example, and the trigger will execute on background exfiltrating the credentials and ultimately the full database to the attacker’s web server.įollowing Hernandez’s post, NIST issued CVE-2023-24055 and the matter is under review.ĭominik Reichl, who developed KeePass and issued its first release in November 2003, said in response that having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file. KeePass has been viewed in the industry as less user-friendly than the cloud-based options, but technical users depend on its security because it encrypts all passwords - and the entire database - and is stored locally on a personal computer versus a password vault that’s stored in the cloud.Īccording to Hernandez’s post, an attacker who has write access to a KeePass configuration file can modify it and inject malicious triggers to obtain the cleartext passwords by adding an export trigger. It was reported last week that Bitwarden and 1Password were targeted in Google ads phishing campaigns that aimed to steal user password vault credentials.Īnd a security breach at LastPass that first came out late last year and a credential stuffing attack at Norton reported in mid-January have illustrated that master passwords used to secure vaults in cloud-based password managers are a potential security risk. Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the industry around password managers.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |