shuffle-c
commented
5 years ago Thank you for your very profound research, @Angelelz! We've fixed the issue in v3.1.1.
Closed Angelelz closed 5 years ago
shuffle-c
commented
5 years ago Thank you for your very profound research, @Angelelz! We've fixed the issue in v3.1.1.
Angelelz
commented
5 years ago That is the beauty of the open source community! I can confirm this issue is fixed. Thank you for working on it so fast!
waellus
commented
4 years ago Hey @Angelelz thanks for the update. Is it possible to make a general article or link to an existing one, or if i can have access to your project? Thanks!
Angelelz
commented
4 years ago Given the sensitivity of the issue, I would wait for @shuffle-c or @sirAndros approval to make that project public. Anyone using the persistent key that has not updated to KeePassWinHello 3.1.1 could be vulnerable to an attack made with that project.
Angelelz
commented
2 years ago Hey @Angelelz thanks for the update. Is it possible to make a general article or link to an existing one, or if i can have access to your project? Thanks!
I just made the Project public for reference, as enough time has passed since the issue was patched.
The Plugin never checks if the persistent key has been changed and continues to use it even if it is not a secure one.
I wrote all the details of this issue in my private project due to the sensitivity of information. @sirAndros and @shuffle-c are added as collaborators.