This export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. … The new vulnerability … enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. ![]() Victim will open KeePass as normal the trigger will executed in background, exfiltrating the credentials cleartext.Īll this so soon after the LastPass and LifeLock scares? Sergiu Gatlan felt a great disturbance in The Force-“ KeePass disputes vulnerability”: ![]() What’s the craic? Alex Hernandez reports a vulnerability-“ CVE-2023-24055”:Īn attacker who has write access to the KeePass configuration file … can modify it and inject malicious triggers-e.g., to obtain the cleartext passwords by adding an export trigger. Your humble blogwatcher curated these bloggy bits for your entertainment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |