Developers, this is why you can’t make sloppy mistakes in your security application - It will backfire.

[Danielx64]

Recently there was a topic created at Neowin about a security researcher who alerted a developer at KeePass about several security issues with the built-in update system.

 

The issue

The problem is when KeePass does an update check, it checks over a standard HTTP interface. While that may be harmless in itself: after all it just a version check right? Yes, however it is possible to perform a MITMA (man in the middle attack). This means that someone could make KeePass show that there's an update when there really wasn't.

Now If the user now clicks within the update dialog to download the new version, the URL http://keepass.info/ is opened to download the new release. Can you see the second issue? If I wanted to I could hijack the request to http://keepass.info/ and redirect the user to a fake download page, get the user to download the fake update and boom - The user's machine is infected.

The fix

While the researcher did provide the developer a suggested solution: switch to HTTPS. Sadly, the developer wasn't all that keen on fixing the problem - He says

Quote

The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution.

The bigger picture

Honestly such a problem could have been fixed without losing revenue – One such example would be running the update checker on a HTTPS site, and just leave everything else on HTTP. But really though, as quoted from another forum that I frequent on 

Quote

Wow, this is just terrible as all hell. Sorry, but if you're making a security product or service, I expect you to value security more than a quick buck.

At the end of the day developers, security, at all costs should be your number one priority. It doesn't matter if the risks is small - it's just not good enough.

 

Extra info and video: https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/

Edited June 4, 2016 by Danielx64

[+virtorio MVC]

Using a piece of software to keep your passwords safe made by a developer who doesn't seem to to know even the basics of what SSL is seems like a bad idea.

[Danielx64]

1 minute ago, virtorio said:

Using a piece of software to keep your passwords safe made by a developer who doesn't seem to to know even the basics of what SSL is seems like a bad idea.

Fortunately I don't use KeePass but being a developer it annoys me when simple mistakes like this are being made.

[BinaryData]

I use LastPass, a lot of the guys at my work use it too.

 

It's sad when people value money more than security. I mean, as someone whose aspiring to be a developer, I value security more than anything. If my projects ever went live, I'd offer a Bug Bounty program. Why? Because it's a benefit to my company/project in the end. I bet you KeePass lost a BUNCH of customers over this.

[FloatingFatMan]

I use my brain. A, because I'm blessed with the ability to remember things for more than 30 seconds, and B, because I don't trust ANY of these password vault programs to be totally secure.  Case kinda proven with this one, really...

[DevTech]

Sadly, this topic is yet another example of viewing computer security as a perimeter defense as if we live in an age of castles and need a secure moat around the walls and maybe throw in few dragons.

 

This type of thinking leads to huge breaches of millions peoples accounts which keeps happening at regular intervals with some of the largest names on the internet.

 

So instead of focusing on real actual serious breaches, we are going to dump on a lone developer giving his software away for free?

 

The Man-in-the-Middle attack requires a man in the middle. This is not a trivial thing to achieve and if you could put nefarious software in place on major internet nexus points to intercept KeePass update requests, you sure as heck would be setting your sights on much larger targets!

 

The chance of this happening is so low that the issue becomes the most ridiculous mocking of a real lone developer ever. There should be a special award for "Neowin Fail of the Year" on this one.

 

Meanwhile large sites who should know better couldn't be bothered to implement proper security and REAL not theoretical damage has occurred!

 

To do proper security, you need to forget about the perimeter. It has been proven time and again that any perimeter you design will be breached in milliseconds. It is a human frailty that people cling to firewalls and other castle-like metaphors to imagine compute security. It is impossible to prevent break-ins but at the moment until Quantum Computers come along, it IS possible to make the data into a useless thing to copy.

 

All of the serious security breaches of the last 10 years totaling over 100 million user accounts etc could have been rendered harmless if the data had simply been encrypted (properly) - shut down the firewall, let the criminals grab your data. Now they need to build a Quantum Computer.

 

In the case of KeePass for example, if the update is encrypted, it doesn't matter of the entire communication is open. If some hacker group is brain dead enough to use hacked routers or DNS servers to focus on KeePass updates because they would rather pick on a lone developer for sport instead of make their usual millions of dollars, then if the updates are encrypted, the fake ones will be instantly detected. In this case, SSL achieves the same thing but it is the wrong mindset. If something needs protection, then it should be encrypted wherever it resides, not just endpoints.