Security Vulnerability in KeyPass2 affects all versions…if automatic updates enabled

Published on June 4, 2016 By DrJBHL In Personal Computing

If you have KeyPass2 – or any version of it, you’d best disable automatic updates if you want the security of your accounts on the sites where you use the password manager to remain protected.

Apparently, while it checks for updates, they aren’t automatically downloaded and installed. It notifies you whether updates are available and you have to click on an additional link to get to the download page.

Unfortunately, this update page is http, not https as it should be – so, the request to update can be intercepted and make you vulnerable to a “man in the middle” attack, redirecting you to a site where a phony piece of malware will be downloaded an installed…and that can be just about anything including ransomware.

The worst part? The developer of KeePass won’t fix the issue according to this report.

So…if you have KeePass, KeePass2, etc. please configure it NOT to check for updates at startup (that’ll be in Options), and consider a different app, at your discretion.

Personally, I can’t imagine a dev who refuses to fix a security defect in software that’s supposed to increase the customer’s security…but there it is.

Sources:

http://www.ghacks.net/2016/06/03/you-better-disable-update-checks-in-keepass-2/?_m=3n%2e0038%2e1870%2ehj0ao01hy5%2e1y2x

https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/

Comments

No one has commented on this article. Be the first!

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!