(916) 972-9000 info@connectech.us

Do you use “Keeper?”  If you’re not sure what it is, then you probably don’t. It’s a password manager that Microsoft has been bundling with some of its Windows 10 releases or is a free download. Either way, there’s a serious flaw in its design that you should be aware of.

Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.

The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.

The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.

I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”

Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”

The two important takeaways here are as follows:

  • The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
  • Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.

This temporary measure was implemented as a stop-gap until the bug can be properly patched.