Skip to content

[2.0.11.0] keepassnatmsg exposing entry without asking for permission #83

Closed
Closed
[2.0.11.0] keepassnatmsg exposing entry without asking for permission#83
Assignees
smorks
Labels
bug
@gab

Description

@gab
gab
opened on Oct 10, 2021

I have an entry for a pastebin account in my database. I was very surprised to notice that keepassnatmsg is straight up sending the password to keepassxc-browser without asking for permission. I double-checked that there is no string field in the entry with a stored permission, and even used the "Remove all stored permissions" button in the plugin settings, but the entry is still getting exposed without my intervention!

These are the config entries in my Keepass.config.xml which might be relevant - note that I was using the "real" keepasshttp before switching to keepassnatmsg:

		<Item>
			<Key>KeePassHttp_ReceiveCredentialNotification</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SpecificMatchingOnly</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_UnlockDatabaseRequest</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_AlwaysAllowAccess</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_AlwaysAllowUpdates</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SearchInAllOpenedDatabases</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_MatchSchemes</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ReturnStringFields</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SortResultByUsername</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ListenerPort</Key>
			<Value>19455</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ReturnStringFieldsWithKphOnly</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ListenerHost</Key>
			<Value>localhost</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_HideExpired</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassNatMsg_OverrideKeePassXcVersion</Key>
			<Value />
		</Item>
		<Item>
			<Key>KeePassHttp_SearchUrls</Key>
			<Value>true</Value>
		</Item>

Here's a database with a similar entry that reproduces the issue on my end (fake username and password used): keepassnatmsg bug repro.zip
Password of the database: keepassnatmsg
The password is being sent to a connected KeepassXC-Browser as soon as I visit https://pastebin.com/login.

Note that this is with version 2.0.11.0 of the plugin and Keepass 2.45, since as explained in the other issue I opened, I'm stuck on those versions. However this sounds like a very serious security issue and I haven't seen a fix for it in the changelog, so I have all reasons to believe that the bug still exists in the current version.

Metadata

Metadata

Assignees

Labels

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions