Google has been hosting a malicious ad that appears to be a legitimate pitch for the password manager Keepass. The ad leads users to a website with an almost identical URL to the genuine Keepass site, creating a convincing deception. The imposter site uses punycode encoding to appear genuine, making it difficult to detect. The ads have been running since Saturday and were paid for by an advertiser verified by Google. There is no foolproof way to detect these malicious ads or encoded URLs, but users can manually type the URL or inspect the TLS certificate for verification.
A newly discovered vulnerability in KeePass password manager allows retrieval of the master password in plaintext, even when the database is locked or the program is closed. A fix is expected to arrive in early June, but even after upgrading to the fixed version of KeePass, the master password may still be viewable in the program’s memory files. Users can reduce their exposure by not letting untrusted individuals access their computer, using a good antivirus program, and changing their master password after upgrading. This appears to be only a proof-of-concept concern, rather than an active exploit.
A major vulnerability has been discovered in the KeePass password manager that allows hackers to extract a user's master password in plain text from the target computer's memory, even if the app is locked or closed. The exploit requires physical access to the machine, but malware could be used to dump KeePass's memory and send it to the hacker's server. KeePass's developer is working on a fix, but it won't be released until June or July 2023. In the meantime, users should avoid downloading apps or opening files from unknown senders, use an antivirus app, and never share their password manager's master password with anyone.
A vulnerability in the KeePass password manager has been discovered that allows attackers to extract the master password from the application's memory, even when the database is locked. The flaw exists because the software uses a custom password entry box that leaves traces of each character the user types in the memory. The vulnerability impacts the latest version of KeePass, 2.53.1, and as the program is open-source, any project forks are likely affected. A fix for the vulnerability is expected to be released in KeePass version 2.54, which is expected to be released in early June.
A vulnerability in the KeePass password manager can be exploited to retrieve the master password from the software's memory. A PoC exploitation tool is publicly available, but the password can't be extracted remotely just by exploiting this flaw. The vulnerability affects the KeePass 2.X branch for Windows, and possibly for Linux and macOS. It has been fixed in the test versions of KeePass v2.54, with the official release expected by July 2023. KeepassXC, a fork of KeePassX, is not affected.
