KeePassRPC vulnerability age

Thanks for the fast fix. Sadly I read over the most important part which makes this vulnerability really an ultimate MCA: every version prior to 1.12.1 is vulnerable.

So there is quite a big chance that in many years of use this might have been exploited.
I never thought this might be possible with a browser extension…
I am changing all my passwords now and will ditch the extensions for more security.

Can you please highlight this in your announcement so others (who also read over this) really become aware of this? Since all versions prior to 1.12.1 are vulnerable, wouldn’t it be a good idea to take them offline?

Thank you for the feedback @cqmr . You’ve raised interesting points that I’m sure some other people will be wondering about too. I have moved your post to its own topic in order to help people find it and keep discussion focused on specific concerns where possible - please feel free to modify the title I chose if you feel it does not accurately summarise your post.

Sadly I read over the most important part which makes this vulnerability really an ultimate MCA: every version prior to 1.12.1 is vulnerable.

I wrote the announcement with the intention of ensuring that the most prominent message that people took away from reading it would be the need to take immediate action to manually update the KeePassRPC.plgx plugin in their KeePass installation. In my opinion, this is the most important part. While it is true that some newly discovered flaws in software can be traced back to a specific recent version, it is rare that this information is practically useful, assuming that a new release has been made available which fixes the flaw.

Without wishing to downplay the severity of theses flaws in KeePassRPC, when considering the issue of how long they were exploitable for before being discovered, they do not stand alone. Many equally critical flaws in browsers and operating systems have been exploitable for even longer than KeePassRPC has existed - any of these could have resulted in the contents of a KeePass database being exposed if an attacker exploited them before they were patched.

Exploiting the recently fixed flaws in KeePassRPC would have required specialist knowledge and custom-written code to target KeePassRPC. While it is not impossible that an exploit for one of the flaws may have been incorporated into broader general-purpose drive-by exploit suites, the nature of the information available upon successful exploit would imply that any successful attack would have been targeted towards specific individuals, or at least result in a visible impact relatively quickly (such as every user/password combination being added to credential stuffing databases or a broad attack on many accounts held within the compromised KeePass database). Given these factors and the lack of evidence to point to any previously successful exploits, and the lack of exploits circulating in the usual “dodgy” parts of the internet, I think it is reasonable to think that the length of time the vulnerability has been present for is not a very significant factor in determining the likelihood of an exploit having been applied to any given KeePassRPC user.

For these reasons, I do not feel it is appropriate to modify the announcement in order to apply greater prominence to the number of versions that were affected.

Since all versions prior to 1.12.1 are vulnerable, wouldn’t it be a good idea to take them offline?

What would have been a great option in the circumstances would be to disable the old versions from loading in KeePass itself. Firefox, for example, offers a similar feature whereby I would be able to request vulnerable versions to be blocklisted (if a similarly critical flaw were ever to be found in the browser extension). Of course, Firefox also offers automatic updates for browser extensions which is a huge security benefit in comparison to the manual updates that KeePass requires.

I don’t think it is practical to remove the old versions from every place that they could be found and downloaded from and I do not think that deleting the old releases and associated information from GitHub would be an appropriate response that offers enough benefit to justify the reduction in transparency that this would result in. Additionally, I am not aware of this course of action being typical as part of a response to a security vulnerability being fixed so such an action would likely go against the expected behaviour of a software project. Just in case there are any recent sources which point to old releases, I have now added a warning to the GitHub release information for the past few KeePassRPC releases. As a general rule though, I would hope that everyone in the world is already aware that running old versions of software can come with security risks so I hope that this action was not strictly necessary.

I never thought this might be possible with a browser extension…
I am changing all my passwords now and will ditch the extensions for more security.

I appreciate that it’s very hard to use the precise terminology and understand all the differences between the components that enable what many people think of as just a “browser extension”. However, it is important to be clear about the differences to avoid causing confusion for others that may read this. So, while you may see this as pedantry, I must point out that the flaw was unrelated to the browser extension; it relates only to the KeePassRPC KeePass plugin. Most people have only installed the KeePassRPC plugin as a result of first installing the browser extension so it is easy to confuse the two components but they are entirely different.

Removing the browser extension will have no effect on increasing the security in relation to this recently discovered flaw in KeePassRPC. Removing the old insecure KeePassRPC plugin from KeePass will increase security if you do not wish to update the plugin to the latest version. Once the KeePassRPC plugin is removed you will only be able to use the Kee browser extension with Kee Vault.

Thanks for your verbose answer!
I mixed up some things. The thing I actually ditched was the KeePassRPC plugin, not the browser extension.

Nevertheless I took it as a starting point to rethink my password management and I now try to harden my concept. The KeePassRPC plugin is not a part of it anymore.