Today you need to remember many passwords. “The binaries are digitally signed (Authenticode) you can check them using Windows Explorer by going ‘Properties’ -> tab ‘Digital Signatures’,” he noted.Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Reichl also pointed out that verifying the KeePass download – no matter from where it’s downloaded – is also important. Users can protect themselves from this type of attack by downloading new versions of the software directly from KeePass’ SourceForge page. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution,” KeePass developer Dominik Reichl responded when Bogner alerted them to the danger. He believes that switching to HTTPS should not be difficult, but apparently the developers are not of the same mind. “For any security centric tool – like a password manager – it is essential to not expose its users to any additional risks,” Bogner points out. Here is a video demonstration of the attack: But even though the download link points to the official KeePass website ( ), the fact that the traffic to and from it is not encrypted means it could be intercepted and manipulated, and could result in the user downloading malware.
The software would show a dialog box that indicates that there is a new version available for download. “An attacker can modify – through for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response.” “KeePass 2’s automatic update check uses HTTP to request the current version information,” Bogner has discovered. The team developing the software is aware of the flaw (CVE-2016-5119), but they currently have no intention of fixing it. Open source password manager KeePass sports a MitM vulnerability that could allow attackers to trick users into downloading malware disguised as a software update, security researcher Florian Bogner warns.Īll versions of KeePass, including the latest, are vulnerable.
0 kommentar(er)
