Security issues with the persistent key implementation #38
Comments
|
Thank you for your very profound research, @Angelelz! We've fixed the issue in v3.1.1. |
|
That is the beauty of the open source community! I can confirm this issue is fixed. Thank you for working on it so fast! |
|
Hey @Angelelz thanks for the update. Is it possible to make a general article or link to an existing one, or if i can have access to your project? |
|
Given the sensitivity of the issue, I would wait for @shuffle-c or @sirAndros approval to make that project public. Anyone using the persistent key that has not updated to KeePassWinHello 3.1.1 could be vulnerable to an attack made with that project. |
I just made the Project public for reference, as enough time has passed since the issue was patched. |
The Plugin never checks if the persistent key has been changed and continues to use it even if it is not a secure one.
I wrote all the details of this issue in my private project due to the sensitivity of information. @sirAndros and @shuffle-c are added as collaborators.
The text was updated successfully, but these errors were encountered: