Security Bits Logo no alpha channel

Security Bits — 5 Feb 2023

Feedback & Followups

Deep Dive — A Vulnerability in KeePass? It’s Complicated

Officially, there is a vulnerability in KeePass (it has a CVE number), but the open source project team are disputing this classification, they literally say it’s a feature not a bug!

If you can write to a user’s KeePass settings file, you can add an event handler that can silently do anything with the data in a vault when the user unlocks it, including automatically stealing the entire contents!

Security researchers argue this is a vulnerability in something like a password manager, but the KeePass team argue that if baddies have write access to your files, you’re in bigger trouble anyway, so this is not actually a bug, and besides, event handlers are a cool feature that let geekier users do fun things.

The feature can be disabled globally on a computer by editing a master XML file in the applications installation directory, which is the kind of thing corporations might want to roll out with MDM/Group Policy Objects.

5 years ago I think I’d have sided with the KeePass developers — on traditional desktop OSes, once an attacker got to run code as you they could do anything, so all bets were off, so this wouldn’t really give them anything they couldn’t get with a key logger. The security perimeter was the user account, so if baddies got in they got in, and that was that.

That’s still true on many desktop OSes in use today, but it’s not true anymore on modern versions of macOS, where a new layered approach is taken, it’s not so much a castle and a moat as a security onion. There isn’t one security perimeter, but many — getting your code to execute doesn’t get you automatic access to a whole load of important information anymore on the Mac — each of those security prompts apps need to ask you for when you first run them reveal these new perimeters, they include:

  1. Permission to access the Documents and Desktop folders
  2. Permission to access Contacts
  3. Permission to access Photos
  4. And most importantly for this discussion — permission for assistive technologies, which includes access to keyboard events.

This means that on a Mac, baddies can’t just install a key logger the moment they get into your account, they need to bypass additional controls before they can do that. This means that on a Mac, by default, anything you save in KeePass is more exposed that items saved in other password managers and the KeyChain.

It is true that you really don’t want baddies accessing your user account on your Mac, but it’s also true that when bad stuff happens, every layer of defence limits the damage, so if I were a KeePass user I would be disabling this feature, and to be honest, the lax attitude the developers are showing to security would give me real pause. I think I would probably be looking at alternatives before something terrible happened. The attitude from the KeePass team would be entirely appropriate for other container-like apps such as EverNote, but secure vaults need to meet a higher bar IMO, their default configuration should be as secure as possible, and this kind of power feature used by only a tiny percentage of users should be opt-in, with appropriate warnings about the security implications, not on-by-default.


A clear and appropriately nuanced description of the issue: [Password-stealing “vulnerability” reported in KeePass – bug or feature? —…]

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Interesting Insights

Just Because it’s Cool 😎

  • Google has quietly been rolling out a 15 year old idea for improving DNS security, using randomised case to add entropy and make cache poisoning much more difficult —… (Note this is a stop-gap measure until all authoritative DNS servers support at least on secure protocol like DNSSEC or DNS-over-HTTPS)

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top