Keepass is one of the most popular password managers available across several platforms including PC, Linux, macOS, Android, iOS. The program is so popular, that it has over 2 dozen apps and extensions for the platforms and various browsers.
Chrome Keepass aka CKP, is one such browser extension, and boasts a user base of over 42,000. You may have noticed that the extension is no longer updated, since May 2017.
That is because the extension has been retired and hence, is no longer supported. Now, a contributor to the extension, Brandon, has discovered a security flaw in Chrome Keepass. The extension reportedly stores the master key on the PC, when you choose the “Remember My Password”, option.
It is worth mentioning that the master key is not the same as the master password, so your password won’t be stolen. But, the master key can decrypt your Keepass database, which in turn gives the user access to all of your passwords. So, in a way, it is kind of worse.
The situation is actually much more serious because, each time you use the remember my password option, the extension stores the master key in new copies, without deleting the previous copy. The developer of Chrome Keepass, when contacted by Brandon, has allegedly told him that the extension has been archived, i.e., won’t be updated to patch a fix for this issue. So 42,000+ users are at risk, and in case someone loses their computer, their passwords could be stolen.
The first thing you need to do is to uninstall the extension from Google Chrome. You can replace CKP with alternatives such as KeePass Tusk, which is made by Brandon, the same person who discovered the flaw.