Sometimes money outweighs security.
Bogner says that all versions of KeePass, including the latest, are vulnerable.
The flaw is considered critical and and has been assigned CVE-2016-5119.
The simple implication is that KeePass devs think profit is more important than security of users.
KeePass 2s automatic update check uses HTTP to request the current version information, Bogner hasdiscovered.
An attacker can modify through for example ARP spoofing or by providing a malicious Wifi Hotspot the server response.
This is how we have mega data breaches when money overcomes security.
source: www.techworm.net
