Keeper Password Manager Affected by Critical Flaw

0
266

The Google Project Zero researcher Tavis Ormandy has found a critical flaw in Keeper password manager. The vulnerability is quite similar to one the expert discovered in the same application over a year ago.

Tavis Ormandy found the security flaw after he spotted that Keeper is already installed by default in Windows 10. The researcher reported a similar vulnerability about a year ago and reproduced the same attack with only a few minor modifications.

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy said. “I checked and, they’re doing the same thing again with this version.”

The critical flaw affects the Keeper browser extensions, which, unless users opt out, are installed together with the Keeper desktop application. If hackers succeed to convince an authenticated user to access a specially crafted website, the vulnerability let the attackers steal passwords stored by the application.

Within 24 hours of being notified by Ormandy, Keeper released a security patch. The fix was included in version 11.4.4 and it has already been delivered to Edge, Firefox, and Chrome users via the browsers’ automatic extension update process. The Safari users will have to update the extension manually.

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper stated in a post informing customers of the vulnerability and the patch.

According to the company, no evidence of exploitation has been found, pointing out that the mobile and desktop applications were not affected by the vulnerability.

A proof-of-concept (PoC) exploit which steals a user’s Twitter password from Keeper was made available by Tavis Ormandy.

SHARE
Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.