You better disable update checks in KeePass 2

[Batu69]

A security vulnerability in the popular password manager KeePass 2 was disclosed recently affecting all versions of the password manager but only if automatic update checks are enabled.

KeePass 2 ships with an option to check periodically for program updates. While update checks are performed if the feature is enabled, automatic downloads and installations of updates is not supported.

 

Basically, what happens is that KeePass communicates with a service to see if an update is available. Users may then click on the update notification if an update is available to open a page on the Internet that provides them with a download of the new version of the password manager.

 

The vulnerability exploits the fact that KeePass 2 performs update checks over HTTP and not HTTPS. An attacker could exploit this by intercepting update requests, for instance on a local network, sending manipulated update information to the KeePass 2 client, and getting users to open a site on the Internet where a fake version of KeePass is offered on (or other things happen, e.g. drive by downloads).

 

The developer of KeePass won't fix the issue according to the report.

 

How to protect yourself

 

 

Existing KeePass users have two options when it comes to the issue. The easier option involves disabling update checks in the client.

 

This is done in the following way:

1. Open the KeePass 2 software on your system.
2. Select Tools > Options from the menu at the top.
3. Switch to the Advanced tab in the options window, and remove the checkmark from "Check for update at KeePass startup" there.

The downside of the method is that you would have to find a way to stay informed in regards to updates. You could visit the developer website regularly for that, or subscribe to the KeePass RSS Feed instead if you are using a RSS reader.

 

You could keep update checks enabled on the other hand but instead of clicking on the link provided by KeePass when updates are found, visit the KeePass website manually instead to download updates from it this way.

 

Both methods work just fine but add a level of inconvenience to the update checking and downloading process. Still, it is recommended to make use of either one of them to protect one of the most important programs on the computer.

 

Article source

[vibranium]

Quote

 

The vulnerability exploits the fact that KeePass 2 performs update checks over HTTP and not HTTPS.

 

 

Incredibly weak!

[VileTouch]

why not just update it from chocolatey?

if you have it, you probably already have a cron job to update all your packages periodically too

and THIS is where choco gets the file from:

https://sourceforge.net/projects/keepass/files/KeePass%202.x/2.33/KeePass-2.33-Setup.exe

 

[CODYQX4]

.

[steven36]

2 hours ago, CODYQX4 said:

and no scummy practice like this.

Why would you  had let a program like  KeePass 2 touch the internet anyway that dont require it on windows?  dont you have a firewall that warns you?   . And really HTTPS  is still  vulnerable to HSTS  so  you cant really trust it ether it useless against MITM attacks .  People keep thinking https is some kind of magic cure but its not  there been all kinds of  vulnerably found in it, it only helps protect a site but it dont protect the end user at all . Just check the Authenticode signatures on KeePass 2 when you download it  and block it and/or turn off updates,  it  is safe i know people who used it for years and never had problems like those that  work in the cloud did.  This app has been proven safe and effective for years  so why would they switch to something else ? No telling how many apps there are that still checks updates via http ,

Quote

 

79 of the web’s top 100 non-Google sites don’t deploy HTTPS by default, while 67 of those use either outdated encryption technology or offer none at all.

https://www.wired.com/2016/03/https-adoption-google-report/

 

Tumblr uses https  see how well it protected  the end user's passwords ? Most all these  password attacks you read about  on the internet are via https  sites, so https is just a false sense of security  at best .

 

It's like when that hacker Peace attack Linux Mint via http now they switch too https,  but how does this really help?  other than to protect there site it dont protect the end user now he attack many sites https  as well .  The best thing to do is switch to  Authenticode signatures on you're software  witch keepass has

[CODYQX4]

.

[steven36]

46 minutes ago, CODYQX4 said:

A protection that takes a great deal of effort and situation to break is better than just leaving the door wide open and saying "help yourself", We've kept HTTPS suppressed so long by tying data security and website validation into one. We'd rather websites serve pure, 100% public and easily modified/password sniffed HTTP than have HTTPS without validation. We rain down red screens of unholy terror for a certificate issue, but you can login to any HTTP site over Starbucks Wi-Fi and no fucks are given. HTTP should be red, HTTPS (Unvalidated) should be yellow (without screaming death is imminent), HTTPS (CA) should be green.

You sound like a ad for Google   when in reality most  all the password attacks are happening via https . Most apps for Linux dont have  auto update check they check via the update manger i just uncheck any 3rd party ppa that i have used so they cant check for updates and check back for updates every so often and its done via https . Also i'm behind 256  encryption as well  But security is just as much you're responsibility  as it is the developers .And in this day and age if you dont practice good security habits it you're own fault if you get hacked . I cant save the world only i can save myself . Dont  take this wrong but  a  lot of you're post on here are like many other's  post on here when you hear something is found wrong in something you try too  use it to get them too use what you use and there's things you use I'm not going to use .  Any thing you use stuff has been found wrong with it too.

 

I dont see no ads in keypass only it calls home to see if there's a update if you dont uncheck the box,  there's many things in Chrome  you cant see and you use these apps.. Google makes all there money from ads and data retention in there software  so you make no sense.

Quote

 

If you use Google Chrome, there are two privacy issues, regarding the deletion of your browsing history, you need to know about. Even though you think you have successfully removed all traces, there are two more issues are hiding, and while they were unveiled some time ago, many people remain unaware.

 

Zoom function in Google Chrome creates a log of your online visits based on your zoom usage and this information is not deleted when you delete you browsing history in the aforementioned step. Currently, there does not seem to be a way to clear this data from the system, consider limiting your use of the zoom function to sites you do not mind people knowing you visit.

 

The second instance is in regards to DNS domains. DNS converts a domain name into an IP address, while DNS loading times vary greatly based on the network and server, Chrome’s browser “pre-fetches” the information to save you time.

 

For example, it will lookup the DNS and cache it to your user profile; so when you click on a link, the cached result is loaded rather than searching for the information each time. Just like the zoom function, this information is not deleted when you delete your browsing history. This can leave a rather large trail of information and websites visits. To clear the cache, navigate to chrome://net-internals/#dns.

 

Bottom line: do not rely on Chrome to fully erase any of your information, even in “Incognito” mode. Be aware of what sites you visit and know that clearing your history does not always remove your footprints.

https://theamericangenius.com/tech-news/hidden-google-chrome-privacy-issues-know/

 

You recommend software that tracks you for life but Keepass 2 you can just disable auto updates and its ok so witch is worse ?

[straycat19]

Again, everyone is going off the deep end because some researcher cried wolf.  Before anyone can do an MitM attack you have to put yourself in a position to be subject to it.  And there has to be a set of circumstances that would be equivalent to a 'perfect storm' for it to happen.  And all the proof of concept tests are always done under controlled environments that the chance of occurring in real life is infinitesimal.

 

15 minutes ago, CODYQX4 said:

I setup a fake ATTWifi hotspot and intercept and modify the update package before it gets to you

 

Lots of luck with that, it won't work, people have tried.  People who don't know what they are talking about always make it sound so easy and it isn't.  If I caught you trying then I would reach in my computer bag and pull out one of my other tools, flex cuffs, and hack your life.

[steven36]

59 minutes ago, straycat19 said:

Again, everyone is going off the deep end because some researcher cried wolf.  Before anyone can do an MitM attack you have to put yourself in a position to be subject to it.  And there has to be a set of circumstances that would be equivalent to a 'perfect storm' for it to happen.  And all the proof of concept tests are always done under controlled environments that the chance of occurring in real life is infinitesimal.

 

 

Lots of luck with that, it won't work, people have tried.  People who don't know what they are talking about always make it sound so easy and it isn't.  If I caught you trying then I would reach in my computer bag and pull out one of my other tools, flex cuffs, and hack your life.

LOL every month Google plugs tons of security issues that paid hackers find month after month year after year and its nothing but a bandaid and there's tons of privacy issues they never fix  and  the masses use it online like it's nothing  . But something so small as a app you use offline that you can uncheck a box or block it and its fixed they going make a big deal about it ? Anything I dont allow too go online is not going to harm me.  Keypass dont auto update via http its dl links are on https,  it only checks  only thing a hacker could do is send them too a fake update page . but any app could be hijacked  and browsers are the worse software on the planet for this without a browser this vulnerability for keypass could not even exist. when all these passwords got hijacked  it was not because they were using keypass. it was because they were using Google chrome and other web browsers  

 

 

Quote

 

BF-SIRT Newsletter 2016-22 | Basefarm SIRT Blog says:

June 3, 2016 at 08:38

[…] 5 Security links KeePass Password Safe update check vulnerable to MITM, wont fix Google pays $65k to shutter 23 Chrome bugs 427 million MySpace passwords leaked 65 million Tumblr […]

 

 

 

 

[CODYQX4]

.

[steven36]

20 minutes ago, CODYQX4 said:

http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/

 

MITM happens. All because you connect to their Wi-Fi. Most people would connect to a legit sounding Wi-Fi hotspot in a second even if it was open, unsecured Wi-Fi, and somewhere out there there's some script kiddie BS to make it easy on your end to inject code into HTTP requests.

 

They say HTTPS sites aren't impacted by this. This isn't the first case I've heard. Some ISPs inject crap into your desktop session, MITM and modification of content right at the ISP level by the most hated company in America.

 

A VPN prevents them from doing either, as long as the VPN itself isn't dodgy.

I live so far out in the sticks i doubt a hacker would be around here to try too tap in here  what they going do park the car at the end of my road too try too tap in? I would see them,  then the have too figure out my password to get past my router then they got  get past  my software firewall and vpn  cell phones dont even get a good signal here .