KeepassXC Browser plugin

Calling Home

PDF

For years I have been using KeepassXC and in some places even as browser plugin. Its auto typing sequence is very flexibile. But a drop down selection at the input fields for username/ password is much easier to handle. But this comes at a price.

As I raked through open connections I found suspicious IPs with lasting connections and very low traffic. Looking them up their origin is KeepassXC Browser addon. A simple invocation of lsof -i tcp is sufficient.

The target port was always 443, regular TLS connection. Quote from page[2]:

And also written there this can be disabled completely even as compiler switch. Such a switch is called USE variable on Gentoo. In this case I'd emerge with USE=-network. I removed the browser plugin completely. In addition I disabled any egress from KeepassXC. Connections gone.

I didn't inspect the traffic more detailed. Also the possibility of outgoing connections is stated clearly in the manual. Those connections can easily be disabled from within KeepassXC. In addition I never authorized the plugin on Gentoo to access the keystore – the application explicitely notifies about this. It is very unlikely that my passwords were exfiltrated. But lesser connections mean smaller attack surface.

  1. SEC.com – Software Editing Corporation
  2. KeepassXC FAQ – KeepassXC FAQ, Network access
  3. KeepassXC Docs – KeepassXC documentation