Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bleeping Computer. Show all posts

KeePass Vulnerability: Hackers May Have Stolen the Master Passwords


One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.    

Users' Data was Breached in 2021, Twitter Confirms

 


A Twitter spokesperson confirmed that the breach that affected millions of users' profiles, including private phone numbers and email addresses, was indeed caused by the same data breach that Twitter disclosed in August 2022, in which millions of emails and phone numbers were obtained.   

A Twitter spokesperson said the company's incident response team analyzed the leaked user data in November 2022. They found that each of the leaks was caused by the same vulnerability. It was before the January 2022 fixes were made. 

The Twitter official posted, "When Twitter learned about the news, the Incident Response Team evaluated the newly released report, which compares the data to data published by the media on 21 July 2022. Upon comparison, the Incident Response Team found the exposed data was the same in both cases. 

An update posted by Twitter on November 20, 2022, says that the data of some of its users may have been leaked online due to a security issue. 

On the Forum of a Hacker, Some Data was Leaked

According to Twitter's bug bounty program, the company received a report about an issue in January 2022. As described in the announcement above, an API flaw allows an attacker to feed email addresses or phone numbers into an API loophole. This will enable them to obtain a Twitter ID associated with the email address or phone number. 

For Twitter users who wish to post anonymously, this could pose a significant risk to their privacy. This is because members' phone numbers and email addresses are not meant to be public. 

By the time Twitter rectified the problem, there had already been 5.4 million user profiles created. These consisted of private and public information provided by millions of email addresses and phone numbers. The API vulnerability is currently being exploited by threat actors contributing to creating those profiles. 

The scraped data was sent to a hacker forum in July 2022 and listed for sale for $30,000. According to the forum, two people are alleged to buy the data for less than the original price. 

As a result of a threat actor operation in September and November 2022, a file containing all 5.4 million records scraped from the internet in 2021 was released to the public in JSON file format. In the past, this document was distributed privately between a limited number of threat actors and was not publicly available. 

It was also announced that an independent researcher also shared samples of an additional set of Twitter profiles that had previously been scraped to exploit the vulnerability. There were 5.4 million users whose profiles were compromised in the original breach, but these profiles were not included. 

According to the report, the data set collected using the same API flaw is reportedly much bigger, containing 17 million records. 

There was no confirmation of the extent of the additional data set. However, a report examined an excerpt of a data set containing 1.4 million previously undisclosed French Twitter account records. 

Despite Twitter's recent updates indicating that the data leaked last month is related to the vulnerability previously disclosed, the company has not confirmed exactly how many users have been exposed to the flaws. 

It is recommended that users enable two-factor authentication on their Twitter accounts and use authenticator apps or hardware keys to protect their Twitter accounts. Twitter also asked its users to be extra vigilant about all incoming emails related to their Twitter accounts when they receive them. 

As a Twitter user, you should always remain vigilant when receiving any kind of email communication, as it is likely that threat actors may use the leaked information to create extremely effective phishing campaigns, Twitter warned. 

It is always advisable to be cautious of emails that convey a sense of urgency or emails that appear to be requesting private information from you. Always ensure that the email is coming from an authentic Twitter source.