Security News KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue

A

Alkajak

Thread author
The developer of the KeePass password manager has intentionally declined to fix a security flaw that allows for MitM (Man-in-the-Middle) attacks on the app's update process.

Back in February, Florian Bogner, a developer for Kapsch BusinessCom, discovered that all KeePass 2.x versions featured an insecure update mechanism that asked the KeePass servers for new releases via an insecure HTTP connection.

Bogner was able to create and launch a MitM attack, replacing the KeePass update with a malicious file (check video below). This attack was possible because KeePass didn't use HTTP nor did it verify downloaded packages.

KeePass developer initially declines to fix issue
The researcher notified KeePass's project leader, Dominik Reichl, who told Bogner in an email in February that "the vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution."

After receiving a CVE identifier from Mitre, CVE-2016-5119, the researcher decided to go public with his research, which soon ended up on all security-focused forums, but not because of the trivial exploit, but more because of Reichl's response, who choose sweet advertising money over the security of his users.

Following backlash from numerous users, Reichl responded to critics by saying his stance hasn't changed on adding HTTPS support for the update process, but he revealed he added support for digital signatures for all KeePass update packages. Reichl's full answer is below.

“ It is true that the KeePass website isn't available over HTTPS up to now. Moving the update information file to a HTTPS website is useless, if the KeePass website still uses HTTP. It only makes sense when HTTPS is used for both. Unfortunately, for various reasons using HTTPS currently is not possible, but I'm following this and will of course switch to HTTPS when it becomes possible. Much more important is verifying your download (which I'd recommend independent of where you download KeePass from). The binaries are digitally signed (Authenticode); you can check them using Windows Explorer by going 'Properties' -> tab 'Digital Signatures'. ”

Users should download all KeePass updates from its homepage
Until Reichl has a change of heart and adds HTTPS support to KeePass' update process, the best course of action is to use the Digital Signatures feature to verify update packages, or to go to the KeePass website and download the files manually.

This is not the first time KeePass has been under scrutiny from security researchers. Last fall, another security researcher created KeeFarce, a tool for extracting cleartext passwords from KeePass' internal database.

Full Article: KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Long life to protection software that aren't free !!!
Or not ...
 
  • Like
Reactions: _CyberGhosT_

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
It's pretty disheartening to read this kind of news. And the affected product is a password manager, which now made me believe that my initial stance are right: papers and pens are more secure than a password manager.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top