Security flaw causes KeePass to expose master password

According to Bleeping Computer , a newly discovered memory dump vulnerability in the KeePass application could allow attackers to retrieve master passwords in plain text even if the database is locked or the program is closed. A patch for this critical vulnerability will not be available until early June at the earliest.

A security researcher reported the vulnerability, and published a proof-of-concept exploit that allowed an attacker to extract the master password in plaintext, even if the KeePass database was closed, the program was locked, or not even open. When retrieved from memory, the first one or two characters of the password would be missing, but the entire string could then be guessed.

The exploit was written for Windows, but Linux and macOS are also believed to be vulnerable because the issue exists within KeePass and not in the operating system. To exploit the password, an attacker would need access to a remote computer (gained via malware) or directly on the victim machine.

According to the security expert, all versions of KeePass 2.x are affected. But KeePass 1.x, KeePassXC, and Strongbox - other password managers compatible with KeePass database files - are not affected.

The fix will be included in KeePass version 2.54, which could be released in early June.

There is now an unstable test version of KeePass with mitigations in place, but a report from Bleeping Computer says the security researcher has been unable to reproduce the password theft from the vulnerability.

However, even after KeePass is upgraded to a fixed version, passwords can still be viewed in the program's memory files. For complete protection, users need to completely wipe the computer by overwriting existing data, then reinstall a new operating system.

Experts advise that a good antivirus program will minimize the possibility, and that users should change their KeePass master password once the official version is available.