KeePass Vulnerability Could Allow Attackers to Steal Your Passwords With Shadow Updates
KeePass is not the most popular password manager, but many of our readers use it . The next time you download an update for it, you can check it yourself to prevent a malware attack.
According to security researcher Florian Bogner, KeePass uses unencrypted HTTP requests when retrieving updates (as well as several other tasks). This allows an attacker to deploy a fake update that could potentially compromise your installation. Unfortunately, the developer explained that the KeePass website cannot (or will not) switch to HTTPS at this time, which means that this problem cannot be fixed:
It is true that the KeePass site is still not accessible over HTTPS. Moving the update file to an HTTPS website is useless if the KeePass website is still using HTTP. This only makes sense when HTTPS is used for both. Unfortunately, for various reasons, using HTTPS is currently not possible, but I have been keeping an eye on this and will of course switch to HTTPS when possible.
This means that if you want to continue using KeePass, you must check for any updates you receive yourself. The company hasinstructions on how to do this here under Automatic Updates Vulnerability. This is not the best workaround, but better than nothing if you plan on continuing to use KeePass. Alternatively, you can check out our roundup of the five best password managers here for some of the alternatives, including LastPass and 1Password.
MitM Attack to Check for KeePass 2 Updates | Florian Bogner via Lifehacker.au