Keepass is an Open source password manager that I have been using for a few years. For me the main attraction was that the password database is stored locally instead of using a cloud based solution. Although, you can configure it to save the password file on a cloud store if you want.
Recently a security ‘vulnerability’ has been found in KeePass that allows someone with access to the system where keypass is installed to export the entire password database to clear-text without any user intervention. Basically if an attacker has write access to the XML configuration file they can add an export trigger to get cleartext passwords as and when they are used. There is an ongoing dispute where it is being debated that this is technically not a vulnerability in KeePass as anyone with write access to the configuration file already has enough access to perform more powerful attacks. The issue has been assigned a CVE-2023-24055.
“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”
Personally, I think that while it does follow that physical access equals root access, there should be some notification / mechanism that gets triggered when the XML configuration file is modified outside the KeePass interface. Something like an alert that tells you that “The XML configuration file was directly modified. Please ensure that no extra triggers are installed” (or words to that effect). This way even if an attacker gets access to the system, they can’t easily get access to stored passwords would hopefully be protected with another password.
Source: Naked Security: Password-stealing “vulnerability” reported in KeePass – bug or feature?