Closed Angelelz closed 5 years ago
Thank you for your very profound research, @Angelelz! We've fixed the issue in v3.1.1.
That is the beauty of the open source community! I can confirm this issue is fixed. Thank you for working on it so fast!
Hey @Angelelz thanks for the update. Is it possible to make a general article or link to an existing one, or if i can have access to your project? Thanks!
Given the sensitivity of the issue, I would wait for @shuffle-c or @sirAndros approval to make that project public. Anyone using the persistent key that has not updated to KeePassWinHello 3.1.1 could be vulnerable to an attack made with that project.
Hey @Angelelz thanks for the update. Is it possible to make a general article or link to an existing one, or if i can have access to your project? Thanks!
I just made the Project public for reference, as enough time has passed since the issue was patched.
The Plugin never checks if the persistent key has been changed and continues to use it even if it is not a secure one.
I wrote all the details of this issue in my private project due to the sensitivity of information. @sirAndros and @shuffle-c are added as collaborators.