Security Flaw in Chrome KeePass (CKP)
And what you can do about it.
Chrome KeePass is probably saving a copy of your master key to disk.
Who is affected?
Anyone who has ever used the “remember” feature of CKP.
Why does this happen?
How do you keep keepass credentials cached for longer than a program is running? CKP opted to cache those credentials to disk with a specified expiration time.
CKP tried to be clever in this by setting a background alarm to check for expiration every 10 minutes. If the credentials expired, it would erase them.
However, the mechanism CKP chose for persisting to disk was chrome.storage. This API is designed in the same way that ALL local disk storage APIs available to the browser are: updates to the data on disk cause a file append operation, not an overwrite.
Suppose you use chrome.storage to set a key/value pair {'foo': 'bar'}. Later, you update the value of foo to be baz. On disk, you now have two copies of the key/value pair for foo, with the most recent being the one returned when you use the storage API to query for the value of foo.
Why is this bad?
There are two (or more) problems with this approach.
First: even if this approach worked perfectly, it leaves a copy of your master key in the clear if you use CKP to decrypt your database then shut or power off your computer. Until you launch chrome again, no code is run to check for expiration. If your computer is lost or stolen while powered off, game over.
Second: This approach never worked. You might have hundreds of copies of your credentials on disk. Each time you are notified that Remembered password expired, chrome just appends a new entry to the storage file log without removing the old one.
Will it be fixed?
No. I spoke with the lead developer, and CKP has been archived on github. I disagree with this reaction because at the time of this writing, ~44K people use CKP and most will never be aware of this vulnerability.
Note that your master key is not your master password. It is a hashed combination of you master password and keyfile, and cannot be used to discover your password. This really doesn’t matter, since your master key can be used to decrypt your KeePass database.
What should I do about it?
This file exists in userland on your disk. You can see it:
- Windows:
%APPDATA%\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnfepbjehgokldcaljagbmchhnaaogpc\ - Mac:
~/Library/Application Support/Google/Chrome/Default/Local\ Extension\ Settings/lnfepbjehgokldcaljagbmchhnaaogpc/ - Linux:
~/.config/google-chrome/Default/Local\ Extension\ Settings/lnfepbjehgokldcaljagbmchhnaaogpc/
- Uninstall CKP by opening Chrome, navigating to
chrome://extensionsand clicking the trash icon next to CKP. This should be enough to remove that folder, but optionally you can… - Check to make sure that folder was deleted.
Are there any alternatives to CKP?
Yes! I’ve recently launched Tusk. Tusk has all of the features of CKP, plus a refreshed interface written in Vue.js and does not persist your credentials to disk. This means that when you close google chrome (or are idle for a specified period) your credentials are removed from active memory and eventually garbage collected.
Who are you?
I’m a recent contributor to the CKP project. On github, I’m subdavis. I discovered this flaw while working on a reboot of CKP called Tusk.
TL;DR
Uninstall CKP and you’ll be fine. Replace it with Tusk if you want to.