The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass. According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation.
https://www.ghacks.net/2023/02/01/keepass-password-manager-vulnerability-what-you-need-to-know/
严格来讲,如果本身系统环境不安全的话,密码管理工具再安全也没用,不过还是建议大家桌面端用 keepass 的调整为 KeePassXC 不带有 trigger 的版本。
 |
1
LemonZest Feb 1, 2023
trigger 是什么,触发自动填充的吗?
|
 |
2
ludofastora OP @sunshower 就是触发器功能,比如可以保存后自动备份之类的
|
 |
3
cycloner Feb 2, 2023
临时解决办法,
 不过 keepass 官方不认为这是个风险,https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/ 我个人也认为既然都得到配置文件的写权限了,其实是电脑已经被黑了,能做的就太多了 |
|
4
cycloner Feb 2, 2023
第一次发图片不知道怎么发上来,汗,参考看吧
|
Select Language