[2.0.11.0] keepassnatmsg exposing entry without asking for permission

[gab]

I have an entry for a pastebin account in my database. I was very surprised to notice that keepassnatmsg is straight up sending the password to keepassxc-browser without asking for permission. I double-checked that there is no string field in the entry with a stored permission, and even used the "Remove all stored permissions" button in the plugin settings, but the entry is still getting exposed without my intervention!

These are the config entries in my Keepass.config.xml which might be relevant - note that I was using the "real" keepasshttp before switching to keepassnatmsg:

		<Item>
			<Key>KeePassHttp_ReceiveCredentialNotification</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SpecificMatchingOnly</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_UnlockDatabaseRequest</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_AlwaysAllowAccess</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_AlwaysAllowUpdates</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SearchInAllOpenedDatabases</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_MatchSchemes</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ReturnStringFields</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_SortResultByUsername</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ListenerPort</Key>
			<Value>19455</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ReturnStringFieldsWithKphOnly</Key>
			<Value>true</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_ListenerHost</Key>
			<Value>localhost</Value>
		</Item>
		<Item>
			<Key>KeePassHttp_HideExpired</Key>
			<Value>false</Value>
		</Item>
		<Item>
			<Key>KeePassNatMsg_OverrideKeePassXcVersion</Key>
			<Value />
		</Item>
		<Item>
			<Key>KeePassHttp_SearchUrls</Key>
			<Value>true</Value>
		</Item>

Here's a database with a similar entry that reproduces the issue on my end (fake username and password used): keepassnatmsg bug repro.zip
Password of the database: keepassnatmsg
The password is being sent to a connected KeepassXC-Browser as soon as I visit https://pastebin.com/login.

Note that this is with version 2.0.11.0 of the plugin and Keepass 2.45, since as explained in the other issue I opened, I'm stuck on those versions. However this sounds like a very serious security issue and I haven't seen a fix for it in the changelog, so I have all reasons to believe that the bug still exists in the current version.

[smorks]

thanks, i have been able to re-produce the issue. it appears to be when you enter the matching hostname without "http[s]://" (in front in either the title or the URL field, then it doesn't prompt for credentials. i will get this fixed ASAP.

the code that's handling this appears to be a direct copy of what was in KeePassHttp. nice catch!

[gab]

@smorks Any reason this fix doesn't feature prominently in the release notes for the latest version? It seems to me that some people that would otherwise skip the update (as I do to avoid new bugs when nothing in the changelist is of concern to me) will want to get it because of the security issue.

Before your fix, even a well sandboxed browser (such as by Sandboxie) could become an attack vector if it was compromised, by having the keepassxc-browser extension ask for a bunch of known websites and thereby harvesting any DB entry the user created without an http[s]:// prefix. Since putting just the domain in the URL field is handy to avoid being prompted again as websites update their login url (ex.; from auth.website.com to login.website.com), I suspect a lot of people follow that setup and are vulnerable unless they update.

[smorks]

sorry, i did mean to put it in the release notes. will add it now, thanks.