Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com)

← Back to Stories (view on slashdot.org)

Password App Developer Overlooks Security Hole to Preserve Ads (engadget.com)

Posted by EditorDavid on Sunday June 5, 2016 @08:30AM from the apps-vs-ads dept.

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

48 of 96 comments (clear)

Min score:

Reason:

Sort:

Ads? by TechyImmigrant · 2016-06-05 08:41 · Score: 1

I use KeePass2 on my iPhone. It doesn't push ads. So why is this a problem?

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:Ads? by NotInHere · 2016-06-05 08:47 · Score: 5, Informative
  
  Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:
  https://sourceforge.net/p/keep...
2. Re:Ads? by Anonymous Coward · 2016-06-05 08:52 · Score: 1
  
  Ads on the website. Keepass runs on PC as well, to get to download new or update installer you have to go to an insecure site and download software to store your passwords. Not a good thing.
3. Re:Ads? by Anonymous Coward · 2016-06-05 09:16 · Score: 5, Informative
  
  Yeah, browsers are now by default blocking all http connection requests when browsing on https.
  For example. If you had 20 images embedded on a page, and only 1 of those was being served via http, it would simply not show up. Browser usually changes an icon somewhere to let a poweruser know, and I believe you can see the block happen in the dev tool console of firefox/chrome.
  The keepass one is more related to SEO rank dropping like a rock after switching to HTTPS and having to bid on https ads only.
4. Re:Ads? by EvilSS · 2016-06-05 09:39 · Score: 5, Insightful
  
  Then why not put the updates on updates.keepass2.whatever, and enable HTTPS on that but not the root? Every major web server I know of would allow for that type of configuration. I mean, if he can't figure that out, what else has slipped through the cracks?
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
5. Re:Ads? by cstdenis · 2016-06-05 11:06 · Score: 1
  
  And what guarantees that the person who downloaded it and uploaded it to the repo got a safe copy? Unless the developer is putting it in the repo himself they are as vulnerable as anyone else.
  
  --
  1984 was not supposed to be an instruction manual.
6. Re:Ads? by Anonymous Coward · 2016-06-05 11:12 · Score: 1
  
  occasionally and somewhat randomly a bunch of us actually verify the signatures of the applications in DPKGs and RPMs. This is one of the reasons why RPMs default of keeping the original package + patch is so good. The more people that do this, the less easy it is to distribute bad binaries. Also generally the distros are quite careful in verifying checksums of packages they download.
7. Re: Ads? by EvilSS · 2016-06-05 13:49 · Score: 2
  
  and skip fake webviews for crappy ad networks? no way
  He can have it both ways though, that's my point. Make just the download page https, but put a page in front of it so he can keep serving his ads. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
8. Re:Ads? by sexconker · 2016-06-05 14:26 · Score: 1
  
  And where did you get the verification sig from? Did the developer meet with you in person and inject it into your brain?
9. Re: Ads? by TechyImmigrant · 2016-06-05 15:01 · Score: 1
  
  and skip fake webviews for crappy ad networks? no way
  He can have it both ways though, that's my point. Make just the download page https, but put a page in front of it so he can keep serving his ads. I get the ads, it's not like the people who are using the software are paying for it and god forbid they donate to help the continued development. But there are technical solutions to this and the fact that he hasn't figured that out concerns me, especially since this is a security product he's making.
  Web security is a completely different problem space, set of programming languages, attack models, crypto algorithm options and collection of douchebags to deal with than writing a password application. I don't blame him for avoiding the utter crock of crap that passes for working in web security. I certainly avoid it. It's like the people in charge of the specs don't want helping and there are plenty of security problems where you can do good work without being undermined by CAs, prima donnas at the IETF, the government and device manufacturers.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
10. Re:Ads? by Anonymous Coward · 2016-06-05 15:37 · Score: 4, Informative
  
  Because the keepass website doesn't host the updates. The software is hosted on sourceforge and that's where you're taken when you click the link to download the update. Keepass doesn't self-update. It will let you know if a new version is available, but that's all it does. It's then up to the user to go to the keepass website and download and install the new version if they decide to upgrade. And as stated before, those downloads are hosted by sourceforge and its mirrors which appear to serve the installation files via HTTPS already.
11. Re:Ads? by MrNiceguy_KS · 2016-06-06 07:27 · Score: 1
  
  Not on Linux you don't, it comes from a trusted Ubuntu PPA, you don't need to visit any website to install keepass2. Windows and Android users are just shit outta luck doing it this way.
  Android has nothing to do with this because: A) Android users are probably going to install and update through an App store, and B) This dev only works on the Linux, Windows, and OSX versions - the Android ports, (there's several,) IOS, Blackberry, etc... come from different developers.
  
  --
  Redundancy is good And also good.
12. Re: Ads? by EvilSS · 2016-06-06 11:53 · Score: 1
  
  We're talking about a pretty basic solution here, not PCI compliance audits.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
"Security researcher" doesn't understand security by Anonymous Coward · 2016-06-05 08:47 · Score: 1

Listen, kid. Encryption is not a silver bullet. A bulk software download can be served just fine by verifying that the bits haven't been diddled with, without encrypting them. Do that properly and encryption is basically just a waste of cycles and in fact best avoided. As a supposedly smart guy, you ought to understand that.
HTTPS is that hard to do? by Todd+Knarr · 2016-06-05 08:49 · Score: 1, Interesting

I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.
1. Re:HTTPS is that hard to do? by F.Ultra · 2016-06-05 10:13 · Score: 1
  
  That the upgrade tool doesn't already do this is actually the strange part in all of this.
2. Re:HTTPS is that hard to do? by tlhIngan · 2016-06-05 17:38 · Score: 1
  
  I can't believe that changing the client to use HTTPS URLs when checking for and downloading updates would disrupt the rest of the Web site that badly. And as far as users using HTTPS to browse the site, that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS. In this day and age, that should be an issue for only the most incompetent of ad networks.
  
  Apparently the Keepass website has ads, and if he switched the update check over to https, the website would be visitable over https as well, and if https was used on the website, the ads wouldn't be displayed. Or something like that:
  Actually, the problem is HTTPS browsing involves a "privacy" mode in the browser. It's not true privacy mode, but it's one ad networks kinda-sorta want.
  Basically if you're browsing over HTTPS, Referer headers are not sent by the browser. The headers basically tell the servers where the request is coming from.
  Google went all HTTPS for searches for this reason - it denies the destination website information like what Google search was used to land on their website.
  Ad networks have no problems operating on HTTPS, given a lot of sites (e.g., /.) use HTTPS and serve up ads.
  Of course, the payout is far lower for sites without Referer headers.
  There are ways around it - given most advertisers give you a unique URL for the ad network to identify your website, it's trivial to encode the document URL using javascript and appending that to the ad request URL (thus putting a Referer like header in the request). Another way is to just do it like how Google does - force every request through their server that redirects you to the right page - E.g., website-->Google-->website everytime you click a link. (the link you click through Google contains the destination page).
3. Re:HTTPS is that hard to do? by thegarbz · 2016-06-05 19:44 · Score: 1
  
  that shouldn't affect ads unless the ad networks are incapable of serving content via HTTPS
  You can't believe something to be true except for the one scenario you proposed which is actually the cause of the problems. :-)
  He changed his web server to HTTPS and suddenly started getting different ads served which cut his revenue stream. Why, no one is sure yet. Maybe some specific ads couldn't be served over HTTPS but ultimately this isn't a client problem.
  What he needs is two different virtual servers, straight HTTP for visitors to get served ads, and a HTTPS site to serve the download files.
4. Re:HTTPS is that hard to do? by AmiMoJo · 2016-06-06 00:26 · Score: 3, Informative
  
  They pay more for HTTP because browsers don't let them track users in as much detail with HTTPS.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:HTTPS is that hard to do? by dave420 · 2016-06-06 03:31 · Score: 1
  
  And if the connection is MitMd to forge the version response, the download of a new binary over HTTP can also be forged, resulting in something clearly undesirable.
6. Re:HTTPS is that hard to do? by F.Ultra · 2016-06-06 08:30 · Score: 1
  
  It's still a upgrade-tool and it still does not check that the available versions are "correct". Of course since the first post he have now changed the tool to do just that so this is all moot but you are still wrong. Yes there is no auto-update tool but here is a upgrade tool just like I wrote to begin width, hardly ignorance my friend!
Bullshit! by Anonymous Coward · 2016-06-05 08:56 · Score: 1

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible.
It already is possible NOW, it's just that he decided he likes the ad bucks more than keeping his users secure by using the patch.
Glad I don't use any of his products, his attitude to his users sucks and he deserves to lose the lot of them.
1. Re:Bullshit! by Aighearach · 2016-06-06 06:26 · Score: 1
  
  I personally find it really hard to trust somebody on something as important and detail-oriented as security when they don't even know what an important, basic word like "possible" means. I naturally assume that when it comes to knowing what attacks against his product are "possible," he just is unable to do the analysis because he doesn't even know what the question is.
Developer is engaged now. Time Sensitive by bobbutts · 2016-06-05 09:00 · Score: 4, Informative

The developer made a post 8 mins ago in this thread about the vulnerability.
https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398
Use KeePassDroid by Zappy · 2016-06-05 09:03 · Score: 1

Use KeePassDroid, free and ad free, by Brian Pellin
This seems to explain what's going on by dfm3 · 2016-06-05 09:10 · Score: 5, Interesting

Yes, I RTFA. And the discussion thread. And the other linked discussion thread on Sourceforge. And it still took me a while to figure out what this was all about... though I finally found an explanation on this thread which was linked to from a thread that was linked to from the thread in the third link:

Guest98123 5 days ago

I saw an instant 30% drop in revenue when switching my site to HTTPS in April. The implementation was done right, A+ rating from ssllabs, Google reindexed my main pages as HTTPS within a matter of hours, search traffic and overall traffic remained unchanged.

I poked around on my AdSense account to see where I was losing the revenue, since AdSense was still displaying the same number of impressions. It turned out I was seeing a 75% drop in CPC impressions, and AdSense was running low paying CPM impressions instead.

http://i.imgur.com/acy2k0u.png

That's a graph of daily CPC impressions on my account. It's obvious when I switched to HTTPS. That was over a month and a half ago. It hasn't bounced back.

I'm faced with a difficult decision now; whether to go back to HTTP and inform the community we're going to a less secure system for increased ad revenues, or I need to accept a 30% drop in my yearly income, and hope the situation improves as more networks switch to HTTPS.
So it seems that, when using HTTPS, different ads are served. But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.
1. Re:This seems to explain what's going on by Richard_at_work · 2016-06-05 09:29 · Score: 4, Interesting
  
  The problem is, Google wont talk to you about it - their decision is invariably final, so you are stuck with whatever their algorithm has decided. In his case, by making the site more secure Google have decided to put him on a lower revenue ad stream - there aint nothing he is going to be able to do to change that.
2. Re:This seems to explain what's going on by Anonymous Coward · 2016-06-05 09:33 · Score: 1
  
  ... But it doesn't explain why if this revenue is so important, the developer hasn't yet taken the time to find a solution or workaround.
  Looks to me like he would rather serve what he knows are insecure adds because they have a higher payout. I call him scum. Sux, cause I use KeePass2. I have been avoiding recent updates because I always see the popup at inconvenient times. Now I will switch to a different PW manager.
3. Re:This seems to explain what's going on by Luckyo · 2016-06-05 14:11 · Score: 1
  
  Security of ads has nothing to do with what they're being served through.
4. Re:This seems to explain what's going on by KozmoStevnNaut · 2016-06-05 20:17 · Score: 2
  
  That seems really strange, considering the massive boner Google has for HTTPS.
  
  --
  Eat the rich.
5. Re: This seems to explain what's going on by Anonymous Coward · 2016-06-05 20:29 · Score: 1
  
  Lick my shitty asshole, son. Why wont you fix your miserable fucking life?
6. Re:This seems to explain what's going on by Aighearach · 2016-06-06 06:18 · Score: 1
  
  It "seems strange" because it offers better information than you thought you had. When facts disprove your beliefs, you can either change your beliefs, or disbelieve the facts.
  Serving lower-paying ads to sites running HTTPS shows you how Google feels about HTTPS. They're an ad company. Whatever PR or outside-of-google information you used as the basis of your "boner" beliefs was clearly inaccurate.
Re:Network Access?? by Sarten-X · 2016-06-05 09:42 · Score: 1

It is not for the base software functionality. It's for the optional upgrade check, which connects to the website and downloads a signed binary. If you're concerned about the integrity of the binary, compare the hashes yourself.

--
You do not have a moral or legal right to do absolutely anything you want.
Fixed, and apparently not a HTTPS issue by rxmd · 2016-06-05 09:43 · Score: 5, Informative

The security issue seems to be fixed as of KeePass 2.3.4 and it looks like the discussion about HTTPS and ads is missing the point. From the website (http://keepass.info/help/kb/sec_issues.html#updsig):
"There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.
First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.
KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.
The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.
The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.
Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver)."

--
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
1. Re:Fixed, and apparently not a HTTPS issue by Aighearach · 2016-06-06 06:31 · Score: 1
  
  The update check goes to the official web site
  The implication was that if your ISP or their ISP or some ISP in between has a pwned router, then that can't really be guaranteed when using HTTP.
  You admit you didn't understand what you were responding to, so how can you possibly know if it is a valid concern or not? Obviously, you have to understand what was said in order to evaluate the relevance. Maybe you don't worry about MITM attacks; some people do. Like the person you didn't understand. ;)
Bunch of FUD by shellster_dude · 2016-06-05 09:44 · Score: 5, Informative

This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.
1. Re:Bunch of FUD by aka_bigred · 2016-06-05 11:19 · Score: 1
  
  FYI, This was actually my comment, didn't realize I hadn't signed in so was posted as "anonymous coward"
  
  Agreed. I'm a KeePass2 user as well, so was VERY interested in this topic. Unfortunately, this slashdot story feels like unjustified smear clickbait as far as I can tell after reading the developer's side of things. It might be nice to have a clarification/update to the original post with the rest of the details, not just the sexy, incorrect TL;DR interpretation of the situation.
2. Re:Bunch of FUD by WallyL · 2016-06-06 04:48 · Score: 1
  
  You filled out the AC captcha? That always reminds me to click "Continue editing," back up, copy my text, log in, paste, and submit.
3. Re:Bunch of FUD by Aighearach · 2016-06-06 06:35 · Score: 1
  
  In short you'd have to be dumb enough to not notice ...
  What if it turns out to be a known fact that humans are dumb? Are you seriously arguing that a threat vector is fake if it can only affect "dumb" people? I doubt very many security threats affect Vulcans, but Humans might have a broader need for technical protection.
  Sometimes calling things names only discredits your analysis.
Re:WYGIWYP by Sarten-X · 2016-06-05 09:47 · Score: 1

I'm sorry, sir, but this is the Internet. Your facts and reasonable analysis are unwelcome here.

--
You do not have a moral or legal right to do absolutely anything you want.
Advertising ethics by Livius · 2016-06-05 10:45 · Score: 4, Interesting

I understand that advertising has its place in a market economy, but I can't help but think that advertisers have gone completely insane. They've become stalkers and harassers, if not outright sociopaths, who only become more persistent, aggressive, and disconnected from reality each time they are rejected by the object of their obsession, and I truly think they must have many of the same mental health issues. There are a few rare adverts that make an effort to offer a minimum of entertainment value in exchange for your time and attention, but most display an astonishing sense of entitlement with the way they freely impose nuisance and other costs on their victims. And when the tactics turn out to be dysfunctional and counter-productive, they escalate the aggression rather than reconsidering their world view. They've become addicts who have long since stopped caring about the actual business reasons they are advertising in the first place.
Now they have reached a new level of anti-social behaviour with a new way of endangering their victims.
Just today I went to an office supply website and searched for a chair. In their enthusiasm for trying to blindly guess what else I might want to buy, they showed me dozens of items that were vaguely related to office furniture. They did not, however, show me a single item that was actually a chair.
And before anyone asks, no, I'm not suggesting that this is really comparable to the physical danger that a woman (or man) is in from a mentally deranged ex-boyfriend (or ex-girlfriend) who is stalking them in the criminal law sense. But advertisers are catching up.
Re: Network Access?? by Anonymous Coward · 2016-06-05 11:19 · Score: 4, Informative

Keepass doesn't download a signed or any other binary from any website.
It uses http to get a version.txt and if the number in that file differs from its version, it pops up a notice telling you an update is available on the website.
You need to manually do all the rest.
So.... by Rick+Zeman · 2016-06-05 11:21 · Score: 1

...if an ASUS auto-update delivers a KeePass update do two negatives make a positive?
Actually not really fixed - URL not validated by enriquevagu · 2016-06-05 21:59 · Score: 1

When the website is compromised with a MITM attack, the attacker can provide a (fake) download link which downloads a compromised binary from the compromised website, instead of the original binary from Sourceforge. In such case, the user does not know that the file should be digitally signed by a certain author. Instead, the attacker can modify the site to provide (fake) MD5 and SHA-1 hashes which validate the (fake) binary, or provide a self-signed binary. In particular, the problem is that the URL to the download binary and the binary validation instructions also need to be validated, as well as the binary itself. This would be solved using HTTPS.
Note that this attack does not particularly target recurrent users (looking for updates; they probably know how the program security works and where it is hosted), but particularly first-time users who don't know how it works.
1. Re:Actually not really fixed - URL not validated by RevRagnarok · 2016-06-05 22:44 · Score: 1
  
  The digital signature in question is not an external verification, but instead the one Windows does on the installer. So your UAC popup would also indicate it is a fake binary.
  
  --
  I should put something clever here. Maybe someday.
2. Re:Actually not really fixed - URL not validated by enriquevagu · 2016-06-06 04:22 · Score: 1
  
  I doubt it. The binary could be unsigned, and the (fake) website provide some instructions on ignoring the UAC notification but validating the SHA-1 hash, which would be a sensible way to do when you do not have (or pay) a code signing certificate. More info, for example: http://www.excelsiorjet.com/kb...
Re:"it'd"... LOL by Rick+Zeman · 2016-06-06 04:22 · Score: 1

"It-id." Tough, I know....
Re:Slashdot deserves negative-insightful mods by Aighearach · 2016-06-06 06:51 · Score: 1

In my fuzzy recollection of years gone by, I think slashdot comments were rather more insightful.
It seems that way to me too, but maybe I was just young and stupid and had lower expectations? There is no way for me to know without going back and reading back issues, and there is no way I'm going to spend time on that.

why the economic model of KeePass has failed so badly?
It hasn't, the developer would just make less money with HTTPS ads. He wouldn't stop making money. He'd just make less off this particular residual revenue stream, and he's not willing to milk it for less than the maximum.