The best password managers aim to keep all of your login and credit card information safe and secure, but a major new security flaw has put KeePass password manager users at risk of being breached.
In fact, the exploit allows an attacker to steal the KeePass master user password in plain text—in other words, in unencrypted form—simply by extracting it from the target computer’s memory. It’s a very simple hack, but one that can have troubling repercussions.
Password managers like KeePass lock all of your login information to keep it safe, and all of that data is hidden behind a master password. You enter your master password to access everything stored in your vault, which makes it a valuable target for hackers.
As reported by Bleeping Computer, the KeePass vulnerability was discovered by security researcher “vdohney”, who posted a proof-of-concept (PoC) tool on GitHub. This tool is able to extract almost the entire master password (minus the first one or two characters) in readable and unencrypted form. It can do this even if KeePass is locked, and possibly if the app is completely closed.
This is because it extracts the master password from KeePass memory. As the researcher explains, this can be obtained in several ways: “It doesn’t matter where the memory comes from – it can be the process dump, the swap file (pagefile.sys), the hibernation file (hiberfil.sys) or the RAM dump of the entire system.”
The exploit exists thanks to some custom codes that KeePass uses. When you enter your master password, you do so in a dedicated box called SecureTextBoxEx. Despite the name, it turns out that this box isn’t secure at all, since every character typed into the box essentially leaves a residual copy of it in the system’s memory. These are the remaining characters that the PoC tool finds and extracts.
The fix is coming
The only caveat for this security breach is that it requires physical access to the device from which the master password is to be extracted. But this isn’t always a problem – as we’ve seen with the LastPass exploit saga, hackers can gain access to a target’s computer using vulnerable remote access applications installed on the computer.
If the target computer is infected with malware, it can be configured to dump KeePass memory and send it and the application database back to the hacker’s server, allowing the threat actor to extract the master password on their own time.
Fortunately, KeePass’ developer says a fix is forthcoming, with one possible remedy being to inject random dummy text into the app’s memory that would mask the password. The fix isn’t expected to be released until June or July 2023, which can be an agonizing wait for anyone concerned that their master password has been leaked. However, the developer has also released a beta version of the fix, which can be downloaded from the KeePass website.
The vulnerability shows that even seemingly secure applications like password managers can be hacked, and it’s not the first time that a serious vulnerability has been discovered in KeePass. If you want to protect yourself from online threats like this latest exploit, avoid downloading apps or opening files from unknown senders, avoid questionable websites, and use an antivirus app. And of course, never share your password manager master password with anyone.
Editors’ recommendations
#Hackers #master #key #password #manager #digital #trends