Keeping passwords on your own device seems safer than storing them in the cloud, but a security researcher shows how you can hack KeePass by simply using the Notepad app.
In the wake of the recent LastPass breach and the Norton Password Manager credential-stuffing attack, you might have second thoughts about storing passwords in the cloud. Password management solutions that store all passwords on your local device, like the free open-source KeePass, start to look really attractive. However, a researcher recently revealed(Opens in a new window) a long-standing problem with KeePass that would allow an attacker to exfiltrate all your locally stored passwords using nothing more high-tech than Notepad. The founder of KeePass disputes the claim, albeit indirectly.
Just what’s going on with KeePass? Let's break it down.
How Does KeePass Work?
KeePass is extremely customizable, more than any password manager we’ve seen. Aficionados love to create and share scripts that bend the product’s features to do exactly what they want. And it’s all based on a system of triggers, conditions, and actions(Opens in a new window). If a trigger event occurs and any necessary conditions are met, KeePass performs the action.
Many triggers revolve around simple events such as starting the program, opening a password database, stopping the program, or saving a database. Advanced users can configure a time-based trigger, or a trigger launched by a custom button. Yes, you can even customize buttons in the KeePass user interface.
You can configure a trigger to only launch on the condition that a certain environment variable matches a specified value, or a certain file is present, among other things. More tellingly, KeePass can activate a trigger conditionally, based on whether a specified remote host is available.
Most of the available actions relate to internal KeePass operations. A trigger can cause KeePass to import or export the password database, open a specified database, or sync the current database with a backup file or URL. But it’s also possible for a trigger action to execute a command line or open a URL. I’ll repeat that—a trigger can execute a command line or open a URL. That’s the holy grail for hackers, the ability to execute arbitrary code.
The KeePass site offers numerous trigger examples(Opens in a new window) to perform useful tasks. These include backing up the database at program start, exporting to a second format on each save, and syncing your database to cloud storage.
Abusing the Trigger System
In January of 2023, security researcher Alex Hernandez detailed a proof of concept attack, abusing the KeePass trigger system to exfiltrate a plain text copy of all passwords. The NIST (National Institute of Standards & Technology) took the report seriously enough to add the attack to its vulnerability database, under the identifier CVE-2023-24055(Opens in a new window), though it’s disputed by KeePass.
Hernandez posted sample code for the attack on Github—those with sufficient skills can read the details here(Opens in a new window). Briefly, he edited the plain text KeePass configuration file to create an action triggered by saving the KeePass database. When a save event occurs, KeePass also exports the password database to a plain text version without asking for the master password. Another trigger uploads the exported database to a waiting server. And all that’s needed to commit this theft is the ability to edit the KeePass configuration file, either by sitting down to Notepad at an unlocked computer or by using a Remote Access Trojan to do the job from a distance.
Assume the System Is Compromised
The creator and founder of KeePass, Dominik Reichl, shot back at the supposed vulnerability, stating that any attacker with sufficient privilege to edit the offending file can easily do much, much worse. He brushed off user requests to at least ban the ability to export without requiring the master password, and he pooh-poohed the need for any change in KeePass itself, saying “KeePass cannot magically run securely in an insecure environment.”
The thing is, running securely in an insecure environment is exactly the way modern security should work. Savvy developers assume that the system is compromised and work out techniques to preserve security regardless. This mindset, also called Zero Trust, is at the heart of many modern security paradigms, including the elaborate protocol that lets cloud-based password managers authenticate users without ever knowing their passwords.
KeePass vs. Other Password Managers
If you walk away from your desk and leave your password manager logged in, anyone who manages to sit in your place can export your passwords and copy them to a thumb drive or send them to a server. That’s the apocalyptic scenario. No matter what password manager you use, you’re in a world of trouble. Just a reminder; set your password manager to log out automatically after inactivity, and always lock your computer when you step away.
- Karlston
-
1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.