@jjx

Hi Jennifer.

Thanks for sharing the link to the post regarding #keepass

I have read it and enjoyed it very much. Well done for getting it out there.

Just a couple of things if I may:

A fix has already been issued since 2.53.1 to mitigate the ‘scripting issue’ moving forward. Would be good if you mentioned this in your post to make sure it remains relevant and up to date.

There are other folks such as KeePassXC which do not support scripting and is not vulnerable to this CVE. Again, might be something you want to mention to give your readers more depth of knowledge.

I wrote a post about this myself back on Feb 18, 2023 called: Can We Trust KeePass Password Manager Moving Forward?

KeePass does get updated on a regular basis and it is not really the same as it was back in 2003. Also, they have maintained a legacy version KeePass 1.x which should not suffer this issue either.

It is also vital that people know the developer was active and engaging, and even though they did not fully agree with the CVE, they acted in the public interest and patched it.

There are also proof of concept designs which help inform people how this simple attack to be attempted - some on GitHub and I did folk one and link back from my article.

I have linked to my article below which takes a different spin than yours. It provides a different approach and perspective outcome in comparison. If you want to link them together, just let me know.

It is an interesting topic and I feel the real question is, this is a feature of the software (exporting), but why was there no protections turned on by default to require master password to trigger (there is already a setting for this but not on by default)?

Another related topic is allowing scripts to run in a password manager.

Yet another one relates to the ability to run third-party scripts in a password manager (hence the different folks).

And another one relates to, should people be running away to a different folk when those folks are maintained by other developers, and those folks have their own vulnerabilities or should we stay based on this being a feature, discussions since 2019 about it, developer actively engaging, and patching to address public concerns?

I feel we could talk about this for quite a while.

#password #passwordmanager #keepass #keepassxc #security #cybersecurity #vulnerability #vulnerabilityintelligence #cve #cve202324055

https://profcybernaught.hashnode.dev/can-we-trust-keepass-password-manager-moving-forward

KeePass Password Manager:

Are we really slating the developers to the point where articles are promoting such opinions as, KeePass is bad... Never use KeePass, KeePass is backdoored, KeePass Devs Know Nothing About Security!!!!!

I am sick of hearing people blast the developers of #KeePass and using psychological techniques such as "appeal to authority," specifically an "appeal to self-authority" or "appeal to personal experience".

This has even been done by so-called #cybersecurity industry workers ending their ill-informed articles with such things as: having X years in cybersecurity, I will never be using KeePass ever again.

On that note, here is my own two-cents on the matter in a blog article. Take a read and let me know your thoughts:

https://profcybernaught.hashnode.dev/can-we-trust-keepass-password-manager-moving-forward

#KeePass #Password #PasswordManager #security #cybersecurity #CVE #CVE202324055

By the way, I still use KeePass as I do not trust any of the Cloud Password Managers at all (and with good reason).

📬 KeePass Sicherheitslücke erlaubt Passwort-Export im Klartext
#Hacking #CVE202324055 #KeePassHelpCenter #KeePassKonfigurationsdatei #KeePassSchwachstelle #KeePassSicherheitslücke #KlartextPasswörter #Passwortdatenbank #Passwortmanager https://tarnkappe.info/artikel/hacking/keepass-sicherheitsluecke-erlaubt-passwort-export-im-klartext-264558.html