Recently there was a topic created at Neowin about a security researcher who alerted a developer at KeePass about several security issues with the built-in update system.
The issue
The problem is when KeePass does an update check, it checks over a standard HTTP interface. While that may be harmless in itself: after all it just a version check right? Yes, however it is possible to perform a MITMA (man in the middle attack). This means that someone could make KeePass show that there's an update when there really wasn't.
Now If the user now clicks within the update dialog to download the new version, the URL http://keepass.info/ is opened to download the new release. Can you see the second issue? If I wanted to I could hijack the request to http://keepass.info/ and redirect the user to a fake download page, get the user to download the fake update and boom - The user's machine is infected.
The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.
The bigger picture
Honestly such a problem could have been fixed without losing revenue – One such example would be running the update checker on a HTTPS site, and just leave everything else on HTTP. But really though, as quoted from another forum that I frequent on
Quote
Wow, this is just terrible as all hell. Sorry, but if you're making a security product or service, I expect you to value security more than a quick buck.
At the end of the day developers, security, at all costs should be your number one priority. It doesn't matter if the risks is small - it's just not good enough.
Question
Danielx64
Recently there was a topic created at Neowin about a security researcher who alerted a developer at KeePass about several security issues with the built-in update system.
The issue
The problem is when KeePass does an update check, it checks over a standard HTTP interface. While that may be harmless in itself: after all it just a version check right? Yes, however it is possible to perform a MITMA (man in the middle attack). This means that someone could make KeePass show that there's an update when there really wasn't.
Now If the user now clicks within the update dialog to download the new version, the URL http://keepass.info/ is opened to download the new release. Can you see the second issue? If I wanted to I could hijack the request to http://keepass.info/ and redirect the user to a fake download page, get the user to download the fake update and boom - The user's machine is infected.
The fix
While the researcher did provide the developer a suggested solution: switch to HTTPS. Sadly, the developer wasn't all that keen on fixing the problem - He says
The bigger picture
Honestly such a problem could have been fixed without losing revenue – One such example would be running the update checker on a HTTPS site, and just leave everything else on HTTP. But really though, as quoted from another forum that I frequent on
At the end of the day developers, security, at all costs should be your number one priority. It doesn't matter if the risks is small - it's just not good enough.
Extra info and video: https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/
Edited by Danielx64Link to comment
Share on other sites
5 answers to this question
Recommended Posts