Last week, we reported on a known security flaw in open source password manager KeePass 2. The software’s creator had refused to fix the issue but it seems he has now done a backflip and issued a patch in the latest update of the software. Here are the details.
As mentioned in our previous article, the issue stems from KeePass 2’s automatic update check function. The password manager used unencrypted HTTP requests to check for new updates and other tasks. This can be exploited by a man-in-the-middle attack.
KeePass creator Dominik Reichl had said he would not be switching to HTTPS to fix the vulnerability because it would impact advertising revenue. Now, with the release of KeePass 2.34, the flaw has been patched. The password manager’s update checker now sends the version information file over HTTPS. From the update notes:
“The version information file (which the optional update check downloads to see if there exists a newer version) is now digitally signed (using RSA-4096 / SHA-512); furthermore, it is downloaded over HTTPS.”
You can find out the about the other new features and download KeePass 2.34 over at its official website.