October 19, 2024, 7:47 am | Read time: 3 minutes
As part of the “Code Analysis of Open Source Software” (CAOS 3.0) project, the German Federal Office for Security (BSI) took a closer look at two popular password managers and discovered a number of shortcomings.
The market is now saturated with a variety of password managers. Their aim is to protect users’ passwords and bundle them in one place. The German Federal Office for Information Security (BSI) conducted an examination of the free password managers “KeePass” and “Vaultwarden”, identifying two high-severity security vulnerabilities in the latter.
Code analysis for more secure programs
Since 2021, the BSI has been regularly analyzing and reviewing various open-source software as part of the “CAOS” project. Among other things, this involves identifying and eliminating vulnerabilities in the source code. The programs are also checked for the secure transmission of form data. Currently, the free password managers “KeePass” and “Vaultwarden” have been examined for defects. The BSI carried out the analyses together with an IT security company.
A free password manager with major security gaps
The BSI identified security vulnerabilities in both examined password managers, with “Vaultwarden” presenting significantly larger issues, including two classified as “high” severity. The analyses concerned version 1.30.3. As part of a responsible disclosure procedure, the BSI informed the affected developers of the vulnerabilities, who in turn responded with a bug fix. Consequently, users can rectify these security gaps by updating their password manager to the latest version.
One of the critical security vulnerabilities pertains to “offboarding,” the process of removing members from an organization, such as a company or governmental body. “Vaultwarden” does not offer a clear process here. This means that an employee who no longer has access to the data can still retain the key to decrypt this data.
Another significant vulnerability involves emergency access protocols, where there is a lack of verification to ensure that users making changes are authorized to do so. An attacker could thus gain access to an account with higher rights or shorten the waiting time until access is permitted. Furthermore, the following vulnerabilities have been classified as “medium”:
- Unauthorized access to encrypted data
- HTML injection possible
Chip, magnetic strip, … What data is stored on bank cards and credit cards, and where is it stored?
Locking, backing up data, … What should I do if I have lost my cell phone?
TECHBOOK explains Swatting: What is behind this dangerous internet phenomenon?
Fewer vulnerabilities with KeePass
Conversely, the other free password manager evaluated, KeePass, exhibited only a few vulnerabilities, all of which were classified as “low” severity. These are as follows:
- Insecure global auto-type feature
- Incorrect certificate validation
KeePass provides a feature that automatically enters usernames and passwords on a website if the title of the website matches the title of the corresponding entry in KeePass. Users can trigger this feature using the Ctrl+Alt+A keyboard shortcut. However, there is a risk that malicious websites could misuse this function to steal passwords from other entries without authorization.
With regard to the faulty certificate check, the BSI explained that KeePass does not check certificates when importing data via spamex.com. This means that an attacker could theoretically carry out a so-called man-in-the-middle attack. Acceptance of faulty certificates could allow an attacker to intercept and manipulate data traffic undetected.