KeePass 2 Has Finally Patched A Vulnerability That Lets Attackers Steal Passwords

Last week, we reported on a known security flaw in open source password manager KeePass 2. The software’s creator had refused to fix the issue but it seems he has now done a backflip and issued a patch in the latest update of the software. Here are the details.

As mentioned in our previous article, the issue stems from KeePass 2’s automatic update check function. The password manager used unencrypted HTTP requests to check for new updates and other tasks. This can be exploited by a man-in-the-middle attack.

KeePass creator Dominik Reichl had said he would not be switching to HTTPS to fix the vulnerability because it would impact advertising revenue. Now, with the release of KeePass 2.34, the flaw has been patched. The password manager’s update checker now sends the version information file over HTTPS. From the update notes:

“The version information file (which the optional update check downloads to see if there exists a newer version) is now digitally signed (using RSA-4096 / SHA-512); furthermore, it is downloaded over HTTPS.”

You can find out the about the other new features and download KeePass 2.34 over at its official website.

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.