Level 30
Feb 4, 2016
Operating System
Windows 8.1

A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year.

"I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.

"I checked and, they're doing the same thing again with this version," the expert added, referring to the Keeper app bundled with some Windows 10 versions.

"I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password," Ormandy added.

To prove his point, the expert also created a demo page where Keeper users can see the vulnerability in action.
Keeper admits mistake and issues emergency update
"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension," said Craig Lurey, co-founder and CTO of Keeper Security.

The issue affects the Keeper browser extension version 11.3. The Keeper team issued an update less than 24 hours after receiving Ormandy's report.

The new Keeper browser extension version 11.4 is now being pushed to users, said Lurey. The exec said the team disabled the problematic "Add to Existing" feature until they fix the flaw within it for good.

Vulnerability not exploited
Lurey said the company was not aware of any attacks using this flaw, nor have customers reported any security incidents where the bug might have been to blame.