KeePassXC 2.7.12: DLL protection, passkey changes, and TOTP in Auto-Type
KeePassXC 2.7.12 protects Windows users from DLL injection via OpenSSL, changes passkey flags, and supports TOTP placeholders in Auto-Type.
(Image: heise medien)
The open-source password manager KeePassXC has been released in version 2.7.12. The release fixes several security issues, most notably protection against DLL injection attacks on Windows. It also brings functional enhancements, including TOTP support in Auto-Type and nested folders for Bitwarden imports.
As the developers announce in their release blog, the new version contains mitigations against exploits via manipulated OpenSSL configuration files on Windows. In a DLL injection, attackers insert malicious Dynamic Link Libraries into the address space of a running process to execute arbitrary code or escalate privileges. KeePassXC 2.7.12 now prevents OpenSSL configurations from being misused as an attack vector for such injections.
Passkey flags change – caution with updates
A potentially complex change affects passkeys: KeePassXC now stores the Backup Eligibility (BE) and Backup State (BS) flags with each entry. The BE flag indicates whether a passkey can be backed up and synchronized as a multi-device credential, and the BS flag marks the current backup status. Previously, both values were fixed at false; from version 2.7.12 onwards, they are set to true by default. The developers explicitly warn, “This may break existing passkeys for which the flags were not stored, since the values are considered immutable.”
If you experience problems with existing passkeys after the update, you can restore the previous state by manually adding two string attributes under “Advanced”: KPEX_PASSKEY_FLAG_BE=0 and KPEX_PASSKEY_FLAG_BS=0. Additionally, the publicKey is now included in the registration response for passkeys.
TOTP placeholders and improved browser dialog
KeePassXC 2.7.12 now supports {TIMEOTP} as a placeholder in Auto-Type sequences and as an entry placeholder. TOTP (Time-based One-Time Password) is an algorithm specified by RFC 6238 that generates time-based one-time passwords from a shared secret key and the current system time – typically every 30 seconds. Users can thus have the current TOTP code automatically inserted into login forms without having to read it manually from an authenticator app.
In the browser access dialog, KeePassXC now displays the matched URLs in a tooltip. This makes it easier to verify which websites are actually requesting access to stored credentials. Furthermore, the new version validates the main entry URL when using placeholders and correctly stores browser-specific values in the customData fields.
Bitwarden import with nested folders
If you are migrating from Bitwarden to KeePassXC, you can also import nested folders with the new version. Bitwarden uses a slash as a separator for hierarchical folder structures, e.g., “Socials/Forums.” KeePassXC 2.7.12 correctly maps this hierarchy during import, preserving the vault structure.
Videos by heise
Other bug fixes
On Linux, the developers reverted a change that caused a race condition in the Auto-Type function. Additionally, the release fixes various minor issues: the display of the checkbox value in the browser integration settings is now correct, font and theme rendering have been fixed, the “Remove” button in the plugin data now works properly, and filenames are cleaned up before saving attachments.
KeePassXC 2.7.12 is available for Windows, Linux, and macOS for download on the project page.
(fo)
