A security researcher discovered a security flaw that hugely exploits the flaw in the KeePass password management software which can then be used by hackers to download and install malicious apps on the victim’s personal computer.
KeePass is an open sourced password manager which uses a man in the middle flaw that hackers can use to trick their victims into some malicious software and malware which will be disguised to look like a software update for one of the software on their PCs. The discovery was made by security researcher Florian Bogner, who said that the problem was in all KeePass versions, and even the latest version had the same problem. The flaw is seen to be very bad and critical and was assigned CVE-2016-5119.
The bad news is that KeePass knows that there is a problem with their system, but they don’t want to do anything about it yet. If the company were to patch up the flaw in their product, it would stop the use of Ads, so the company does not want to do anything to jeopardize that. KeePass 2 developer Dominik Reichl does not want to fix the problem because the costs of the upgrade as a result of the fix on the passwords manager update check are too high. In other words, they would lose the ad revenue they are getting at the moment.
Another way to look at it is that KeePass thinks that money is much more important for them at the moment than the security of their customers. Bogner noticed that the KeePass 2 automatic update check was making use of the HTTP to make requests for current version information. He said that attackers could modify the server response by simply doing ARP spoofing and creating a fake and malicious Wifi hotspot.
KeePass clients will notice a new dialog box which states that there is a new update of the software available. The problem, however, even though the download link points to the fact that it goes to the official KeePass website, it is the traffic in between which is unencrypted which might cause the problems. It can be intercepted and manipulated in various which would result in the user downloading malicious software in the end.
This is where the problem begins. When a security company prioritizes money over security then mega data breached are conceived. For all KeePass customers, it is advisable that they not update their software until a new latch is released by the developer.