Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.
The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.
The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.
I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”
Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”
The two important takeaways here are as follows:
- The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
- Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.
This temporary measure was implemented as a stop-gap until the bug can be properly patched.