Passwords are leaked under certain circumstances #2502
Description
Expected Behavior
After databases are unlocked, knowledge of the master password is always required (if configured) to unlock databases.
Current Behavior
Under certain circumstances (see steps to reproduce), the field for the master password contains exactly the master password after the database is locked, so the authentication process is bypassed and saved passwords are leaked.
Possible Solution
This issue does not exist before today. I guess it's related to d612cad (Refactor Database and Database widgets).
Steps to Reproduce (for bugs)
- In Settings -> Security -> Lock databases after inactivity of, set the value to a short time (e.g., 10 seconds) for easier issue reproduction.
- In Settings -> General, enable "Minimize instead of app exit", "Show a system tray icon" and "Hide window to system tray when minimized".
- Create a test database, keep it unlocked and minimize the KeePassXC main window.
- Wait for 10 seconds for the database to be locked.
- Click on the tray icon. The main window appears again. However, the master password field contains the correct password, so hitting OK unlocks the database.
Context
Minimize KeePassXC to the system tray and wait for databases to be locked is part of my daily workflow.
Debug Info
KeePassXC - Version 2.4.0-snapshot
Build Type: Snapshot
修訂: d612cad
函式庫:
- Qt 5.12.0
- libgcrypt 1.8.4
作業系統:Arch Linux
處裡器架構:x86_64
核心:linux 4.19.3-arch1-2-ARCH
已啟用的擴充元件:
- Auto-Type
- Browser Integration
- SSH Agent
- YubiKey