KeePassium tries to access internet domains from the database

[ronau]

Description
When I open KeePassium on macOS, Little Snitch is asking to allow network access to domains that are related to a database that has been opened in the past (which is, however, not the most recent database).

How to reproduce / What I did

1. Little Snitch installed for quite a while already
2. Open KeePassium (last time it was opened is longer ago than the database timeout setting, in this case the app hasn't been opened for days), i.e. no database was opened automatically.
3. See a Little Snitch dialogue asking to allow KeePassium to connect to a domain which is listed in a database which may have been opened with KeePassium a while ago, but which is not even in the list of recent databases
4. Repeating over and over again for other domains listed in that particular database (only then it became clear that all these are domains for which I have entries in that database)

I am not able to reproduce this currently. I also cannot say for sure what databases have been opened the last time KeePassium was running. I can only say for sure that KeePassium has not been running for a while (i.e. longer than database timeout).

---

Update:

Actually, the domains in question are also related to entries in macOS's Password application. However, I still don't see how there could be a relation between KeePassium and the macOS Password application right in the moment when KeePassium is opened.
Also, KeePassium is not enabled as auto-fill password application, only macOS's Passwords app.

---

Expected behavior

• There should be no network access whatsoever to domains that are related to the contents of any previously opened database
• Especially not if no database is opened yet
• This is a leak of very sensitive information!

Screenshots

Environment:

• 13" MacBook Air M1 2020
• macOS 15.2
• App version 2.2.160

Additional context
Settings:

• Auto-Open previous database: True
• Network Access: Off
• App Protection / App Lock: Off
• Data Protection:
  • Remember Master Keys: True
  • Database Timeout: 5min
  • Clear Master Keys On Timeout: True
  • Remember Key Files: True
  • Cache Derived Encryption Keys: True

[keepassium]

Did you use the favicon download feature, by any chance? It does reach out to every URL in your database. (Maybe it was earlier and Little Snitch shows prompts from a previous launch?)

Also, do you have Quick AutoFill enabled in app settings → Password AutoFill?

[ronau]

Is there such a feature in KeePassium even? Haven't found it, to be honest. Also, network access is switched off in KeePassium.
I do use such a feature in another KeePass-compatible password manager (MacPassium), which I use normally to open the database in question here.

Also, I made an update to the post:
Actually, the domains in question are also related to entries in macOS's Password application. However, I still don't see how there could be a relation between KeePassium and the macOS Password application right in the moment when KeePassium is opened.
Also, KeePassium is not enabled as auto-fill password application, only macOS's Passwords app.

Sorry, don't want to spread FUD here or anything. I was just very confused by the Little Snitch prompts.

[keepassium]

No worries about FUD, this is a valid concern and anyone would be alerted.

However, I still don't see how there could be a relation between KeePassium and the macOS Password application right in the moment when KeePassium is opened.

Apple's password manager has a nasty habit of inserting itself to other apps. Definitely on iOS and I would not be too surprised on macOS, either.

Should this happen again, can you please check details of the process making the request?

[ronau]

Will do, of course.

[keepassium]

I just accidentally reproduced this by switching on KeePassium in system AutoFill settings. This was on a macOS 15.1 machine that was inactive for a few weeks. It had a debug build and Little Snitch 5.8 installed, and LS showed this:

(There were prompts for other domains as well. No idea why there is a cog before the app name.)

I could not repeat that, and then noticed that LS stopped monitoring any traffic. After several reboots, I fixed that by upgrading LS to 6.1.3, KeePassium to TestFlight build — but still could not repeat the issue.

So then I opened Apple Passwords, which also was disabled in AutoFill settings for a long time. I don't use it, but there are quite a few entries with "never saved" note, from the times when iCloud Keychain was very aggressive about offering to save your passwords. Guess what, LS started reporting that the app tries to access each of those domains, too:

Curiously, in both cases the connection was "Established by" the system process com.apple.WebKit.networking.xpc. I assumed this was some global service responsible for all network connections. As a test, I tried to download a favicon using KeePassium, expecting to see this proxied via the same service. But nope:

The connection was attributed to the app itself, without any intermediate services.

My hypothesis is that system AutoFill framework periodically checks websites registered for Quick AutoFill. Not too frequently, though, because I spent a few hours trying to repeat the accidental success, without any result. The reasons are unclear as well…

The plan is to repeat the test in a day, then every week — but with Console logging everything. The system should log who originates these connections and, with any luck, why. Stay tuned.