KeePass update check MitM flaw can lead to hackers installing malicious App on your PC
Sometimes money outweighs security. This was proved when a security researcher discovered a critical security flaw in the KeePass password management software which can be exploited by potential hackers to install malicious Apps on the victim’s PC.
Open source password manager KeePass sports a MitM vulnerability that could allow attackers to trick users into downloading malware disguised as a software update, security researcher Florian Bogner warns. Bogner says that all versions of KeePass, including the latest, are vulnerable. The flaw is considered critical and and has been assigned CVE-2016-5119.
Unfortunately KeePass knows about the vulnerability but is unwilling to patch it because it would block ads on the App. Yes, KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager’s update check as the “indirect costs” of the upgrade (which would encrypt web traffic) are too high — namely, it’d lose ad revenue.
The simple implication is that KeePass devs think profit is more important than security of users.
“KeePass 2’s automatic update check uses HTTP to request the current version information,” Bogner has discovered. “An attacker can modify – through for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response.”
If you are a KeePass customers, you will notice that a dialog box that indicates that there is a new version available for download. But even though the download link points to the official KeePass website (https://keepass.info/), the fact that the traffic to and from it is not encrypted means it could be intercepted and manipulated, and could result in the user downloading malware on his/her PC/laptop.
This is how we have mega data breaches when money overcomes security. If you are a KeePass customer it is advisable to not update the App till the developer releases a patch for the flaw.