Activity for PV
-
PV posted a comment on discussion Open Discussion
You are right Horst, no further discussion are needed here. I am not donating any more and keepass is dead for me, unless some basic changes are made. Have a nice life!
-
Hello Schultz, the topic of this conversation reads: "someone can read the passwords using export trigger" -> STILL someone can modify your config file to add an export trigger (ok let's say here is keepass not responsible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???
-
Hello Schultz, you wrote the issue by your self and you can read it as topic of this conversation: "someone can read the passwords using export trigger" -> STILL someone can modify your config file to add an export trigger (ok let's say here is keepass not responsible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???
-
Hello Schultz, you wrote the issue by your self and you can read it as topic of this conversation: "someone can read the passwords using export trigger" -> STILL someone can modify you config file to add an export trigger (ok here keepass not responible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???
-
I tested the new version 2.53.1 Yes, keepass asks for a second time for the password but with the same login mask with a slightly modified popup title: "Enter current Master Key (Export)" A normal User will think, he mistyped the master password the first time and will enter the password again. The second time the export will trigger and the attacker will still get the exported clear text password again. SO... no fix at all!!!
-
Dear Dominik Reichl, when will we see an update that fixes the export trigger vulnerability issues?
-
Oh yeah, you're right. The attacker must know the password in that case. My bad, sorry.
-
That's not a solution, because KeePassXC has no own database file type. KeePass can open a database saved with KeePassXC. So when you save the database with KeePassXC an attacker can use his own portable KeePass with an export trigger in its configuration file and still export your database.
-
Dear Josef, are you doing the same in your home? You lock the outside door and then inside your home let everything unlockt and your money on the table because you think: "If a burglar is already in my house he will steal everything, so i can't do anything about it." I found this is a weird point of view!
-
Hopefully will be the fix i proposed in my posting above already in the 2.54 version otherwise KeePass is for me only history too. Additionally the new database must be backwards incompatible to prevent attacks from older KeePass versions.
-
The possibility that someone using a configuration file can read all passwords from an encrypted database without having to enter the master password is a no-go for me. As an attacker, you only have to wait until someone enters the master password for you. Please put the configuration inside the database or at least the security related part of it. It would have the nice side effect that, depending on the opened database, a different configuration is used. Binding the configuration to the database...
-
The possibility that using a configuration file to read all passwords from an encrypted database without having to enter the master password is a NO-GO for me! As an attacker, you only have to wait until someone enters the master password for you. Please put the configuration inside the database or at least the security related part of it! It would have the nice side effect that, depending on the opened database, a different configuration is used. Binding the configuration to the database can make...
-
The possibility that using a configuration file to read all passwords from an encrypted database without having to enter the master password is a NO-GO for me! As an attacker, you only have to wait until someone enters the master password for you. Please put the configuration inside the database or at least the security related part of it!!! It would have the nice side effect that, depending on the opened database, a different configuration is used. Binding the configuration to the database can make...
1
