The development team at KeePass is contesting what is being referred to as a recently discovered weakness that enables attackers to covertly export the full password vault in plain text. KeePass is similar to other password managers, however, where password managers like LastPass or Bitwarden are hosted in the cloud, the encrypted KeePass vault is kept locally on a user’s computer.

With write access to a target’s system, the recently discovered vulnerability (CVE-2023-24055) allows threat actors to change the KeePass XML configuration file and insert a malicious trigger that would export the vault in its entirety, including all usernames and passwords in cleartext. The export rule will be activated, and the contents of the vault will be stored to a file that the attackers may subsequently exfiltrate once the victim starts KeePass and enters the master password to open and decrypt the vault. Additionally, the threat actor can silently access all of the saved passwords because this export process begins in the background without alerting the user or requiring the master password to be supplied as confirmation.

Users have asked the KeePass development team to release a version of the program without the export capability or to add a confirmation box before vault contents can be exported. Another request is to include a configurable flag that would make it impossible to export data from the actual KeePass database and could only be toggled using the master password.