Notices by Team KeePassXC (keepassxc@fosstodon.org)

@eric KeePassXC Plus subscription with ten new monthly passwords.

GitHub took down the repository just now. It was up for 19 hours when we reported it. GitHub took action within roughly 2.5 hours, which was rather quick.

FYI: The "Download" link goes through I series of redirects with several obfuscated JavaScript pages in between. I didn't open it in a browser and therefore didn't spend the time to resolve the full chain to the final download, but the fact alone that these obfuscations are there speaks for itself.

🚨 *Attention!* We were made aware of a fake “KeePassXC Password Manager Pro” repository on GitHub that links to unverified external binary downloads.
- There is NO Pro version of KeePassXC!
- You get all the “Pro” features with the regular version.
Please download KeePassXC only from trusted distribution channels linked on https://keepassxc.org/ !

@solidsanek The first thing we say is "Invalid Credentials were provided, please try again"

Hey there, looks like #KeePassXC is relevant enough that 🤡 #AI #slop security foo companies now target our keywords on Google mobile search. What do you think would happen if suddenly lots of people started clicking those ads without actually buying anything?!🧐😁🤑

🚨BLACK FRIDAY SALE!!! 🤑📉 Our FREE software is 90% OFF this weekend!!

Get your deal at https://keepassxc.org/download NOW (only while stock lasts)! This is not a drill!

Also, if you want to support us more, we have options listed for you at https://keepassxc.org/donate 🤗

@juliank @stardust @tuxwise@tchncs.de I disagree with this statement on a fundamental level. If you see Debian as an expert tool for a very specific expert target group, then fine, whatever. But Debian is the base for a general-purpose operating system for millions of users with no technical background or simply no nerve and time to deal with things like this. You cannot and should not expect these users to know about any obscure text files, let alone read and understand the tech babble that's in them.

What this flag DOES NOT do is sandbox KeePassXC in any way. It will also not remove Qt's internal networking modules, since these are still required for certain offline functionality such as URL parsing and local sockets (blame Qt for not separating this functionality). It will also not prevent a local attacker from loading other DLLs/SOs/DYLIBs containing network code at runtime.

4/4

That's it. That's all that is removed from your build when you disable the flag. There is no web server running or anything, it's only client code requiring a manual action that is removed (as well as a link dependency to OpenSSL, which may be more significant).

3/4

KeePassXC connects with the internet in only three situations:

1) to check for updates (we ask you first if you agree to that and this feature is disabled in downstream packages such as Debian's anyway)

2) when you manually click the button to download a website's favicon on the Edit Entry form

3) when you decide to check your credentials against the online Hibp service (again, by explicitly clicking a button).

2/4

Following the recent discussion around the Debian decision to ship KeePassXC without any of its optional modules, we've seen some extreme misconceptions floating around the internet regarding what the WITH_XC_NETWORKING=OFF compile flag actually does.

Let us be clear: KeePassXC does NOT "randomly" connect to the internet in the background, regardless of whether you build with the flag on or off. Claims to the contrary of KeePassXC "surfing in the background" or "calling home" are false.

1/4

Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.

We have released a blog post discussing CVE-2023-35866: https://keepassxc.org/blog/2023-06-20-cve-202335866/