14 DAY TRIAL // The developer of the KeePass password manager has intentionally declined to fix a security flaw that allows for MitM (Man-in-the-Middle) attacks on the app's update process.
Back in February, Florian Bogner, a developer for Kapsch BusinessCom, discovered that all KeePass 2.x versions featured an insecure update mechanism that asked the KeePass servers for new releases via an insecure HTTP connection.
Bogner was able to create and launch a MitM attack, replacing the KeePass update with a malicious file (check video below). This attack was possible because KeePass didn't use HTTP, nor did it verify downloaded packages.
KeePass developer initially declines to fix issue
The researcher notified KeePass's project leader, Dominik Reichl, who told Bogner in an email in February that "the vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution."
After receiving a CVE identifier from Mitre, CVE-2016-5119, the researcher decided to go public with his research, which soon ended up on all security-focused forums, but not because of the trivial exploit, but more because of Reichl's response, who choose sweet advertising money over the security of his users.
Following backlash from numerous users, Reichl responded to critics by saying his stance didn't change on adding HTTPS support for the update process, but he revealed he added support for digital signatures for all KeePass update packages. Reichl's full answer is below.
“ It is true that the KeePass website isn't available over HTTPS up to now. Moving the update information file to a HTTPS website is useless, if the KeePass website still uses HTTP. It only makes sense when HTTPS is used for both. Unfortunately, for various reasons using HTTPS currently is not possible, but I'm following this and will of course switch to HTTPS when it becomes possible. Much more important is verifying your download (which I'd recommend independent of where you download KeePass from). The binaries are digitally signed (Authenticode); you can check them using Windows Explorer by going 'Properties' -> tab 'Digital Signatures.' ”
Users should download all KeePass updates from its homepage
Until Reichl has a change of heart and adds HTTPS support to KeePass' update process, the best course of action is to use the Digital Signatures feature to verify update packages, or to go to the KeePass website and download the files manually.
This is not the first time KeePass has been under scrutiny from security researchers. Last fall, another security researcher created KeeFarce, a tool for extracting cleartext passwords from KeePass' internal database.
