hpr_transcripts/hpr3888.txt

Episode: 3888
Title: HPR3888: KeePassXC recent CVE
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3888/hpr3888.mp3
Transcribed: 2025-10-25 07:29:51

---

This is Hacker Public Radio Episode 3888 for Wednesday, the 28th of June 2023.
Today's show is entitled, He Pass XC Recent CVE.
It is hosted by some guy on the internet, and is about 10 minutes long.
It carries a clean flag.
The summary is, some guy on the internet talks about KeyPass XC's security model and
a recent CVE.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
Today we're going to be talking about KeyPass XC, so on June 20, 2023, Jonathan White posted
on a KeyPass XC blog about an alleged vulnerability dubbed CVE Charlie Vector Echo, 2023 35 866.
This is centered around KeyPass XC version 2.7.5.
A user submitted this CVE suggesting that there is a flaw in KeyPass XC version 2.7.5,
and it classified it as a vulnerability suggesting that the password, the offline password manager,
does not offer online two-factor authentication during changes to the database, such as exporting
passwords into clear text.
If you wanted to export your entire database to plaintext or HTML or whatever,
the user wanted it to prompt you for the master password before exporting the passwords to plain
text.
The user also mentioned that the password manager does not prompt you for authentication whenever
you're doing things like registering a Ubiki, a hardworking, so the user filed this CVE
suggesting that the slack of second authentication for the offline password manager leaves the user
vulnerable.
Now, I'm just going to go ahead and tell you right now, I'm siding with the KeyPass XC development
team.
This is not a vulnerability, and I believe that yes, the user is confusing the KeyPass XC security
model when comparing it against online password managers that have to authenticate through
the wire.
There's been discussions on the blog, I'll have links down in the show notes.
Other users have brought up some, you know, I guess these are members of the KeyPass XC team.
They've been mentioning things like, you know, if an attacker has access to your unlocked database,
you have already lost.
And I believe that wholeheartedly, if you leave your KeyPass XC database unlocked for an attacker to
simply have full-fettered access, there is nothing that could stop them from screenshotting,
just, you know, using their phone, using a notepad, taking pictures, whatever.
So, you lost, you just need to lock your database when you're not using it, and they offer
the KeyPass XC development team, offer some suggestions, you know, setting up the,
the expiration timer on your database.
So, if it's inactive for, let's say, five minutes, it'll automatically lock the database,
protecting you. Now, the user also pointed out that they believed the user was made vulnerable
to the database being locked by the attacker, which would in result lock the owner out of their
own password manager. So, an example would be that the attacker approached the computer with the
unlocked database, registers a Ubiqui, and then lock the original owner out, because now the original
owner does not have the Ubiqui to unlock the database. KeyPass XC made clear that that's not
something to worry about, because if they wanted to just lock you out, they could just corrupt
your database, right? If that's all they were trying to do is just lock you out, they would corrupt
your database. Boom, now you no longer have access to it, because it's corrupted, and we all know
that backups, backups, backups, backups, or the solution for things like this, because I mean,
after all, sometimes hard drives, you know, I'm not going to go into all of that, but either way,
this is not a vulnerability, but it will be brought up in the press as some, you know, some massive
vulnerability that's going to leave you vulnerable to all sorts of attacks across the world,
and I want to give my two cents on it before it got a little too wide spread. So KeyPass XC version
2.7.5 is very safe to use. It's a local offline password manager, so you don't have to worry about
these additional steps of authentic, you know, reauthenticating once you've unlocked your database.
You understand, if you're following decent practices, the reasonable ones that have been
mentioned in the past by me and others, and KeyPass XC also has information on their website that
can further assist you with how to manage your database in a safe practice. You got nothing to
worry about. They also mentioned that there are petitioning against this CVE, because it's not
of vulnerability, you know, it's a user that got a little confused about the security model and
things, things got out of hand. All right, so let's talk about security theater. I just learned
this term while going over this whole article from KeyPass XC. I'm going to take us on over to
Wikipedia. Will we have a CC BYSA 4.0 article that we can use? Wikipedia tells us that security
theater is an unsafe practice. It only gives the user the illusion of security with unnecessary
security practices, such as prompting you over and over and over again for a password
on an offline password manager, that kind of thing, where some users may feel like this is a benefit.
The reality is it's so minuscule if any benefit is provided through this practice. Overall,
what it's going to do is it's going to convince people not to use security at all to avoid this
constant prompting, right? In other words, turning off the whole password prompting just because
it's annoying. It gets in the way. I'm going to start including this once I get set up to reboot
the Oh no news again. I'm going to make sure I include this in the additional information section
of the show. They give some great examples here on the page as well, such as confiscating water bottles,
but then allow you to buy bottled water. That's something you've experienced if you've ever been to
certain airports may do it. Don't let you bring your own bottled water in or whatever,
but you can buy bottled water once you get in. But I think airports will allow you to bring a
thermostat. It's so long as it's empty when you bring it in, and then you fill it up at like a
a water fountain or something like that. I'd also like to put the question out to the community.
Do you guys find this to be a helpful feature? Like if you use keypass XC, do you find it to be
helpful at all for you to be constantly prompt for your password after you've unlocked your password
manager and begin using it? So whenever you want to add a new entry into your password manager
or change an entry in your password manager, do you want to be prompted over and over again
because you're making changes to the database or if you were exporting, say for instance,
you're going to create a new database so that you can export some of your credentials from your
personal database over to this new one because maybe you're going into a work environment where you
don't want to have all your credentials unlocked only the necessary ones for that environment so you
export the necessary ones into a separate database that you can bring with you on like a thumb drive.
Do you think it's necessary to prompt you whenever you're making changes even though you've already
authenticated? Personally, I don't. I don't think it's necessary. I think we all have to take a certain
level of responsibility. You know, we have to own our own security and be responsible when using
these technologies. I don't need key pass XC to hold my hand as I'm using this password manager.
They've done enough in creating it and making it superb in my opinion. I don't need them looking
over my shoulder constantly going, hey, are you sure you need to do that? Are you sure you need to
know it? It just gets annoying in my opinion. But what do you think? You want to be prompted over
and over again? Do you think the props are necessary? Do you think the props will help new users be
more security minded or anything of that nature? What do you think? I'll tell you what though,
key pass XC may want to take some time and better explain how their technology is intended to
to be used. I think that would be an excellent step forward because if people are going to make
the comparison in this technology and offline password manager against something like an online
password manager, it's best to have it made abundantly clear. Yes, they serve the same purpose,
but they operate differently and offer some detail as to why you are not necessarily prompted
for every single action. Whereas in an online password manager, you may need to be prompted simply
because someone else is managing your secrets. All right, that's enough rambling from me on this
episode. I just wanted to get in here and do a quick show on key pass XC in the latest news.
I'll catch you guys in the next episode.
You have been listening to Hacker Public Radio. Hacker Public Radio does work. Today's show was
contributed by a HBR listener like yourself. If you ever thought of recording a podcast,
you click on our contribute link to find out how easy it leads. Hosting for HBR has been kindly
provided by an honesthost.com, the internet archive and our syncs.net. On the Sadois status,
today's show is released under Creative Commons, Attribution, 4.0 International License.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 3888`
			`Title: HPR3888: KeePassXC recent CVE`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3888/hpr3888.mp3`
			`Transcribed: 2025-10-25 07:29:51`

			`---`

			`This is Hacker Public Radio Episode 3888 for Wednesday, the 28th of June 2023.`
			`Today's show is entitled, He Pass XC Recent CVE.`
			`It is hosted by some guy on the internet, and is about 10 minutes long.`
			`It carries a clean flag.`
			`The summary is, some guy on the internet talks about KeyPass XC's security model and`
			`a recent CVE.`
			`Hello and welcome to another episode of Hacker Public Radio.`
			`I'm your host, some guy on the internet.`
			`Today we're going to be talking about KeyPass XC, so on June 20, 2023, Jonathan White posted`
			`on a KeyPass XC blog about an alleged vulnerability dubbed CVE Charlie Vector Echo, 2023 35 866.`
			`This is centered around KeyPass XC version 2.7.5.`
			`A user submitted this CVE suggesting that there is a flaw in KeyPass XC version 2.7.5,`
			`and it classified it as a vulnerability suggesting that the password, the offline password manager,`
			`does not offer online two-factor authentication during changes to the database, such as exporting`
			`passwords into clear text.`
			`If you wanted to export your entire database to plaintext or HTML or whatever,`
			`the user wanted it to prompt you for the master password before exporting the passwords to plain`
			`text.`
			`The user also mentioned that the password manager does not prompt you for authentication whenever`
			`you're doing things like registering a Ubiki, a hardworking, so the user filed this CVE`
			`suggesting that the slack of second authentication for the offline password manager leaves the user`
			`vulnerable.`
			`Now, I'm just going to go ahead and tell you right now, I'm siding with the KeyPass XC development`
			`team.`
			`This is not a vulnerability, and I believe that yes, the user is confusing the KeyPass XC security`
			`model when comparing it against online password managers that have to authenticate through`
			`the wire.`
			`There's been discussions on the blog, I'll have links down in the show notes.`
			`Other users have brought up some, you know, I guess these are members of the KeyPass XC team.`
			`They've been mentioning things like, you know, if an attacker has access to your unlocked database,`
			`you have already lost.`
			`And I believe that wholeheartedly, if you leave your KeyPass XC database unlocked for an attacker to`
			`simply have full-fettered access, there is nothing that could stop them from screenshotting,`
			`just, you know, using their phone, using a notepad, taking pictures, whatever.`
			`So, you lost, you just need to lock your database when you're not using it, and they offer`
			`the KeyPass XC development team, offer some suggestions, you know, setting up the,`
			`the expiration timer on your database.`
			`So, if it's inactive for, let's say, five minutes, it'll automatically lock the database,`
			`protecting you. Now, the user also pointed out that they believed the user was made vulnerable`
			`to the database being locked by the attacker, which would in result lock the owner out of their`
			`own password manager. So, an example would be that the attacker approached the computer with the`
			`unlocked database, registers a Ubiqui, and then lock the original owner out, because now the original`
			`owner does not have the Ubiqui to unlock the database. KeyPass XC made clear that that's not`
			`something to worry about, because if they wanted to just lock you out, they could just corrupt`
			`your database, right? If that's all they were trying to do is just lock you out, they would corrupt`
			`your database. Boom, now you no longer have access to it, because it's corrupted, and we all know`
			`that backups, backups, backups, backups, or the solution for things like this, because I mean,`
			`after all, sometimes hard drives, you know, I'm not going to go into all of that, but either way,`
			`this is not a vulnerability, but it will be brought up in the press as some, you know, some massive`
			`vulnerability that's going to leave you vulnerable to all sorts of attacks across the world,`
			`and I want to give my two cents on it before it got a little too wide spread. So KeyPass XC version`
			`2.7.5 is very safe to use. It's a local offline password manager, so you don't have to worry about`
			`these additional steps of authentic, you know, reauthenticating once you've unlocked your database.`
			`You understand, if you're following decent practices, the reasonable ones that have been`
			`mentioned in the past by me and others, and KeyPass XC also has information on their website that`
			`can further assist you with how to manage your database in a safe practice. You got nothing to`
			`worry about. They also mentioned that there are petitioning against this CVE, because it's not`
			`of vulnerability, you know, it's a user that got a little confused about the security model and`
			`things, things got out of hand. All right, so let's talk about security theater. I just learned`
			`this term while going over this whole article from KeyPass XC. I'm going to take us on over to`
			`Wikipedia. Will we have a CC BYSA 4.0 article that we can use? Wikipedia tells us that security`
			`theater is an unsafe practice. It only gives the user the illusion of security with unnecessary`
			`security practices, such as prompting you over and over and over again for a password`
			`on an offline password manager, that kind of thing, where some users may feel like this is a benefit.`
			`The reality is it's so minuscule if any benefit is provided through this practice. Overall,`
			`what it's going to do is it's going to convince people not to use security at all to avoid this`
			`constant prompting, right? In other words, turning off the whole password prompting just because`
			`it's annoying. It gets in the way. I'm going to start including this once I get set up to reboot`
			`the Oh no news again. I'm going to make sure I include this in the additional information section`
			`of the show. They give some great examples here on the page as well, such as confiscating water bottles,`
			`but then allow you to buy bottled water. That's something you've experienced if you've ever been to`
			`certain airports may do it. Don't let you bring your own bottled water in or whatever,`
			`but you can buy bottled water once you get in. But I think airports will allow you to bring a`
			`thermostat. It's so long as it's empty when you bring it in, and then you fill it up at like a`
			`a water fountain or something like that. I'd also like to put the question out to the community.`
			`Do you guys find this to be a helpful feature? Like if you use keypass XC, do you find it to be`
			`helpful at all for you to be constantly prompt for your password after you've unlocked your password`
			`manager and begin using it? So whenever you want to add a new entry into your password manager`
			`or change an entry in your password manager, do you want to be prompted over and over again`
			`because you're making changes to the database or if you were exporting, say for instance,`
			`you're going to create a new database so that you can export some of your credentials from your`
			`personal database over to this new one because maybe you're going into a work environment where you`
			`don't want to have all your credentials unlocked only the necessary ones for that environment so you`
			`export the necessary ones into a separate database that you can bring with you on like a thumb drive.`
			`Do you think it's necessary to prompt you whenever you're making changes even though you've already`
			`authenticated? Personally, I don't. I don't think it's necessary. I think we all have to take a certain`
			`level of responsibility. You know, we have to own our own security and be responsible when using`
			`these technologies. I don't need key pass XC to hold my hand as I'm using this password manager.`
			`They've done enough in creating it and making it superb in my opinion. I don't need them looking`
			`over my shoulder constantly going, hey, are you sure you need to do that? Are you sure you need to`
			`know it? It just gets annoying in my opinion. But what do you think? You want to be prompted over`
			`and over again? Do you think the props are necessary? Do you think the props will help new users be`
			`more security minded or anything of that nature? What do you think? I'll tell you what though,`
			`key pass XC may want to take some time and better explain how their technology is intended to`
			`to be used. I think that would be an excellent step forward because if people are going to make`
			`the comparison in this technology and offline password manager against something like an online`
			`password manager, it's best to have it made abundantly clear. Yes, they serve the same purpose,`
			`but they operate differently and offer some detail as to why you are not necessarily prompted`
			`for every single action. Whereas in an online password manager, you may need to be prompted simply`
			`because someone else is managing your secrets. All right, that's enough rambling from me on this`
			`episode. I just wanted to get in here and do a quick show on key pass XC in the latest news.`
			`I'll catch you guys in the next episode.`
			`You have been listening to Hacker Public Radio. Hacker Public Radio does work. Today's show was`
			`contributed by a HBR listener like yourself. If you ever thought of recording a podcast,`
			`you click on our contribute link to find out how easy it leads. Hosting for HBR has been kindly`
			`provided by an honesthost.com, the internet archive and our syncs.net. On the Sadois status,`
			`today's show is released under Creative Commons, Attribution, 4.0 International License.`