A security vulnerability was found in KeePass 2, a popular open source password manager, earlier this year but the software’s creator has refused to issue a patch. Here’s why.
The bug is part of the password manager’s automatic update check function. The problem stems from KeePass using unencrypted HTTP requests to check for new updates and other tasks. This can be exploited by a man-in-the-middle attack.
According to Florian Bogner, an Austrian IT security expert, an attacker can make users download a dodgy update for KeePass that redirect them to a malicious download page. You can see the attack in action below:
The recommendation from Bogner is to use HTTPS encryption for update notifications and to download updates only from a trusted source. Also, it’s worth noting KeePass will only run the update checker when a user authorises it at launch.
KeePass 2’s developer Dominik Reichl had been notified of the security vulnerability back in February but he has made it clear he will not fix it as switching to HTTPS would mean losing advertisement revenue.
In a more recent update Reichl further explained:
“It is true that the KeePass website isn’t available over HTTPS up to now. Moving the update information file to a HTTPS website is useless, if the KeePass website still uses HTTP. It only makes sense when HTTPS is used for both. Unfortunately, for various reasons using HTTPS currently is not possible, but I’m following this and will of course switch to HTTPS when it becomes possible.”
From the KeyPass official website, he has recommended that users verify any downloads for KeePass:
“In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> ‘Properties’ -> tab ‘Digital Signatures’. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.”