Skip to main content

Hackers may have stolen the master key to another password manager

The best password managers are meant to keep all your logins and credit card info safe and secure, but a major new vulnerability has just put users of the KeePass password manager at serious risk of being breached.

In fact, the exploit allows an attacker to steal a KeePass user’s master password in plain text — in other words, in an unencrypted form — simply by extracting it from the target computer’s memory. It’s a remarkably simple hack, yet one that could have worrying implications.

An app used to extract a user's master password from the KeePass password manager app.
The KeePass master password vulnerability discovered by security researcher ‘vdohney.’ The extracted master password (minus the first two characters) is shown at the end of the “Combined” line. Bleeping Computer

Password managers like KeePass lock up all your login info to keep it safe, and all that data is sealed behind a master password. You enter your master password to access everything stored in your vault, which makes it a valuable target for hackers.

Recommended Videos

As reported by Bleeping Computer, the KeePass vulnerability was discovered by security researcher ‘vdohney,’ who published a proof-of-concept (PoC) tool on GitHub. This tool is able to extract almost the entire master password (except the first one or two characters) in readable, unencrypted form. It can even do this if KeePass is locked and, potentially, if the app is closed altogether.

That’s because it extracts the master password from KeePass’s memory. As the researcher explains, this can be obtained in a variety of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit exists thanks to some custom code KeePass uses. When you enter your master password, you do so in a custom box called SecureTextBoxEx. Despite the name, it turns out this box is not so secure after all, since every character typed into the box essentially leaves a leftover copy of itself in the system memory. It’s these remnant characters that the PoC tool finds and extracts.

A fix is coming

Unsplash

The one caveat to this security breach is it requires physical access to the machine from which the master password is to be extracted. But that’s not necessarily always a problem — as we’ve seen in the LastPass exploit saga, hackers can gain access to a target’s computer using vulnerable remote access apps installed on the computer.

If a target computer was infected with malware, it could be configured to dump KeePass’s memory and send both it and the app’s database back to the hacker’s own server, allowing the threat actor to extract the master password in their own time.

Fortunately, KeePass’s developer says a fix is incoming, with one of the possible remedies being to insert random dummy text into the app’s memory that would obfuscate the password. The fix is not expected to be released until June or July 2023, which could be a painful wait for anyone nervous about their master password being leaked. However, the developer has also released a beta version of the fix, which can be downloaded from the KeePass website.

The vulnerability just goes to show that even seemingly secure apps like password managers can be breached, and it’s not the first time a serious weakness has been found in KeePass. If you want to keep yourself safe from online threats like this latest exploit, avoid downloading apps or opening files from unknown senders, steer clear of questionable websites, and use an antivirus app. And, of course, never share your password manager’s master password with anyone.

Alex Blake
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
I reviewed two of the best password managers. Here’s the one I recommend people use
A side-by-side comparison of 1Password and Bitwarden pricing appears on a PC monitor.

If you need more convenience, protection, and cross-platform integration than you can get with your browser’s autofill, you need a premium password manager like 1Password or Bitwarden. I recently reviewed both and put together this comparison to help you pick which works best for you.
Tiers and pricing
A side-by-side comparison of 1Password and Bitwarden pricing. Digital Trends

1Password is only available as a subscription, but Bitwarden has a very good free version. If you don’t want to pay an annual fee to use a password manager, Bitwarden is a great choice.

Read more
I tested two of the best password managers, and there’s a clear difference
A side-by-side comparison of Dashlane and Bitwarden pricing appears on a PC monitor.

Looking for a new password manager? While there are plenty of solutions to choose from, Dashlane and Bitwarden are among the best. I’ve reviewed both and can help you decide which is the best fit for your particular needs.
Tiers and pricing
A side-by-side comparison of pricing for Dashlane and Bitwarden. Digital Trends

If you want a free password manager, Bitwarden is the clear winner since it offers a full-featured solution with no arbitrary restrictions. Dashlane’s free version is more like an unlimited trial since it’s limited to a maximum of 25 logins.

Read more
Is the Bitwarden password manager safe to use?
Bitwarden website on a laptop.

Has someone recommended Bitwarden to you or have you seen it in your searches for the best password manager? If so, you’re likely wondering how safe it is to use, especially considering it’s widely available for free.

We’ll walk you through the safety, compliance, and security features that Bitwarden uses along with a concern you should consider. It’s then up to you to decide if Bitwarden is a safe and secure option for you.
What is Bitwarden?

Read more