Remembering all of your passwords to all of your online accounts is challenging and this is why password managers like LastPass, Dashlane and 1Password exist. But these huge encrypted databases of usernames and passwords are prime targets for criminals and many of the programs have suffered breaches.

This week, free password manager KeePass announced on its site that a vulnerability exists in its software and hackers could send fake software updates containing malware to users by posing as the new KeePass software. KeePass uses unencrypted Hypertext Transfer Protocol (HTTP) instead of the secure version HTTPS. (If you don't know what HTTP and HTTPS are, take a look at the URL of this page. HTTPS is the protocol that hosts data sent between an Internet browser and websites. HTTPS is secure and authenticates each website and the server to make sure a malicious site isn't posing as a legitimate one.)

Security researcher Florian Bogner tells LifeHacker that because KeePass uses HTTP for software updates, crooks can create a fake update spiked with malicious software.

KeePass explains on its site:

The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. 

KeePass says just because a hacker sends you a fake update with malware inside doesn't mean the attack is in motion because KeePass doesn't host automatic updates. KeePass users have to manually download a new version. KeePass says users should check the digital signature and if malware is present, do not download it. 

For more information on how to check a digital signature, watch Bogner's video below:

 

Published on: Jun 9, 2016