A security researcher under the pseudonym VDOHNEY has discovered vulnerabilities in the popular password manager, KEEPASS. The flaws allow attackers who have access to a device to extract the master password from the application’s database, even if it’s blocked. VDOHNEY has published a tool, which can restore the master password in the form of a regular text, except for the first symbol, which can be selected quite quickly.
Keepass and other password managers allow users to create unique passwords for each online account and store them in an encrypted database. Users only need to remember one master password.
The vulnerability, which has been given the number CVE-2023-3278, can be exploited by hackers who can obtain a point of memory of the Keepass process. This can be done using physical access to the device or by infecting it with malware. The dump memory and the Keepass database are then sent to the attacker to extract the master password.
The latest version of Keepass, version 2.53.1, is affected by the vulnerability, and possibly all projects based on it. However, Keepass 1.x, Keepassxc, and Strongbox are not affected. Dominic Reichl, the developer of Keepass, has promised to release a fix for CVE-2023-3278 in version 2.54.
The security of password managers is essential, so users should exercise special care when downloading software from untrustworthy sites. They should also beware of phishing attacks that can infect devices, potentially harming data in different ways.