All versions of KeePass Vulnerable to MitM Attack

http-vs-httpsAll versions of KeePass, an open source password manager is vulnerable to a MitM attack because of the way it is designed to check for updates. KeePass uses HTTP to request update information and an attacker can modify the server response through ARP Spoofing or by providing a malicious wifi hotspot. The development team of the software is fully in the know of the flaw (CVE-2016-5119) but they currently have no intention of fixing it.

It is a simple flaw based on the fact that traffic to and from the app when checking for updates is not encrypted and as such can be interceted an manipulated.

According to helpnetsecurity, when Bogner who discovered the flaw notified the developers, Dominic Reichl, KeePass developer responded that “The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.”

Users can protect themselves by downloading new versions from KeePass directly and verifying all downloads.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s