Why You Shouldn't Use Microsoft Windows11.


LMDE5 - Linux Mint Debian Edition.

LMDE5 -...

Why Should I Not Use Windows10?

Here are a...

KeePass Password Manager Users Beware

KeePass Password Manager Users Beware

KeePass Password Manager Users Beware.

The password manager is popular, open-source, that allows you to manage your passwords storing them locally in an encrypted database for Linux or Windows.

To secure the local databases, a user can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it, you think, right?

Now this would be easily fixed if the programmers behind it, would just simply add a notification that lets the user click an Yes or No button. However, the programmers disputes this and as such, you should change to another software for your own safety.

Is your system compromised:

If your system is compromised, you are basically fucked.

A new vulnerability tracked as CVE-2023-24055, enables threat actors to write access to the target's system, allowing them to alter the KeePass XML configuration file and inject a malicious trigger that would export the entire database, including all usernames and passwords in clear text.

It works like this: The next time you launch KeePass and enter your master password to open and decrypt the database, the export rule will be triggered and the contents of your database will be saved to a file, which the attackers can exfiltrate from your system.

A proof-of-concept exploit has already been posted online, making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases on compromised devices.

CERT teams of Belgium and Netherlands have issued security advisories regarding CVE-2023-24055, but the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means.

Looking at "Security Issues" page on the KeePass Help Center describes the "Write Access to Configuration File" issue since April 2019 as "not really a security vulnerability of KeePass."

If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers says.

"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment."

The KeePass developers does not seem to care very much, so what you can do if you can't or won't coff up the money for a secure solution like "NordPass", then create an "enforced configuration file".

This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, mitigating the CVE-2023-24055 issue, if normal users do not have write access to any files/folders in KeePass' app directory.

Also worth noting is: If the attackers launch a KeePass executable from another location within your system, without an enforced configuration file. You are f..ked !!!

How about ditching the loosing team and change for the winning team here.

That being said, so far NordPass has not been compromised.

"If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced."

KeePass Developers Site


Help us by donating a small amount

If you find this site helpful, please consider donating a small amount.
Please use our contact us form and we will give you the relevant information to make a donation.
We accept BitCoin and ZCash at the moment.

Games For Linux

Windows has always been the preferred platform for gaming, but after STEAM's interest in Linux more game developers are making their games natively available for Linux.


All information on this website is published in good faith and for general educational purposes and for use in safe testing environments only. While linuxexperten.com strives to make the information on this site as accurate as possible, linuxexperten.com does not warrant its completeness, reliability and accuracy.

We are not responsible for any losses or damages associated with the use of our website. While we strive to provide only links to useful websites, we have no control over the content of these sites and links to other sites do not constitute a recommendation for all content contained on these websites.


Site Information

This is a professional review site that receives compensation from the companies whose products reviewed. Each service or product are thoroughly tested and given high marks if considered to be the very best. Independently owned and the opinions expressed here are no one elses.


Limited Time Offers

None at the moment.