2

In this comment there is a comment mentioning a "secure UAC prompt" where the user can enter a password.

KeePass actually does have systems in place to stop keyloggers (such as only allowing the master password to be entered in a secure UAC prompt on Windows)

[...]

it also wouldn't be impossible to produce a fake UAC prompt, even if it might not stand to close inspection

The only interaction I get (and I think this is true for most of the users as well) with Windows UAC is the system prompt about allowing an application to run or not. I've never heard about an application having its own UAC prompt.

So how does that look? What kind of security does it offer and what can I do as a user to protect myself from a phishing attempt?

schroeder
  • 123,438
  • 55
  • 284
  • 319
bolov
  • 135
  • 8

2 Answers2

3

A UAC prompt appears on the secure desktop, so the normal Windows desktop (and any other open windows) are dimmed, behind a translucent black layer, with the prompt itself shown at full brightness overlaying the dimmed area. It should be centered on the main display, and contain the program name, verified publisher (in bold) and, in the case of running a file (such as an installer), the location of the file (in generic terms):

UAC Prompt

It's possible for other application to use the secure desktop to request input too. These get most of the same features: everything else dimmed, just the prompt displayed, centered:

KeePass UAC Prompt

In either case, there isn't much which couldn't be faked with a bit of effort: malware could take a screenshot of the desktop and display it in a fullscreen window with a prompt in the middle, or just rely on people not noticing that the window goes under the taskbar and show in a normal window sized to cover everything else. In terms of KeePass, they could monitor for a mouse click on a fake KeePass icon in the tray and pop up a fake prompt, then reject whatever password was entered and trigger the real KeePass executable to launch - most users are likely to assume they mistyped (especially since seeing the incorrect password display becomes a rare event after typing the master password a number of times).

If you're paying attention, they wouldn't fool you, but if you're just wanting to get your password to buy something online, they might well be good enough.

Matthew
  • 27,233
  • 7
  • 87
  • 101
1

This actually is possible using a little tool called AutoHotkey. This could be done by taking a screenshot of the desktop (assuming there is nothing on it) or using the desktop's image file then displaying it using a GUI, adding a dimmer overlay, making a UAC-looking prompt, then setting them to be "always on top". Then making an output variable to a text file and, boom, you have a phishing UAC window that is on top of the taskbar and steals info.

schroeder
  • 123,438
  • 55
  • 284
  • 319
255.tar.xz
  • 111
  • 2