The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass. According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation.
https://www.ghacks.net/2023/02/01/keepass-password-manager-vulnerability-what-you-need-to-know/
严格来讲,如果本身系统环境不安全的话,密码管理工具再安全也没用,不过还是建议大家桌面端用 keepass 的调整为 KeePassXC 不带有 trigger 的版本。
1
sunshower 2023-02-01 23:57:23 +08:00
trigger 是什么,触发自动填充的吗?
|
2
ludofastora OP @sunshower 就是触发器功能,比如可以保存后自动备份之类的
|
3
cycloner 2023-02-02 14:59:09 +08:00
临时解决办法,
不过 keepass 官方不认为这是个风险,https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/ 我个人也认为既然都得到配置文件的写权限了,其实是电脑已经被黑了,能做的就太多了 |
4
cycloner 2023-02-02 15:00:47 +08:00
第一次发图片不知道怎么发上来,汗,参考看吧
|