Password Manager Vulnerability
Monday, June 6, 2016 @ 10:06 AM gHale
There is a vulnerability in the open source password manager KeePass.
The vulnerability could allow attackers to trick users into downloading malware disguised as a software update, said security researcher Florian Bogner of Kapsch BusinessCom AG.
All versions of KeePass are vulnerable. On top of that, the team developing the software is aware of the flaw, but they currently have no intention of fixing it.
“KeePass 2’s automatic update check uses HTTP to request the current version information,” Bogner said in a Full Disclosure post. “An attacker can modify – through for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response.”
The software would show a dialog box indicating there is a new version available for download. But even though the download link points to the official KeePass website (http://keepass.info/), the fact traffic to and from it is not encrypted means it could end up intercepted and manipulated, and could result in the user downloading malware.
“For any security centric tool – like a password manager – it is essential to not expose its users to any additional risks,” Bogner said.
Switching to HTTPS should not be difficult, but it appears the developers do not agree.
The timeline for notifying the developer and getting a response was fairly quick.
Bogner notified Keepass developer Dominik Reichl Feb. 8 at 11:30 a.m. By 3:45 p.m. that same day, Reichl responded back saying, “The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.”
Users can protect themselves from this type of attack by downloading new versions of the software directly from KeePass’ SourceForge page.