Google Project Zero security researcher Tavis Ormandy sent a email to Keeper Security about a new vulnerability. Company replied to Ormandy and delivered a patch within 24 hours to the users. The security issue is identified as “privileged UI injection into pages”.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy wrote in a bug report. “I checked and, they’re doing the same thing again with this version.”
The first time Ormandy informed Keeper Security of the privileged UI injection into pages” issue was in August 2016. At that time, Ormandy explained how the flaw could simply enable an attacker to steal passwords from Keeper users.
“This is a complete compromise of Keeper security, allowing any website to steal any password,” Ormandy wrote in his new advisory.
Keeper browser extension has this particular flaw.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper wrote in its advisory.
Google Project Zero has a 90-day disclosure policy to publicly reveal the issue. But Keeper solved the issue in 24 hours.
Keeper browser extension has already been automatically updated.
“Assume that everything is hackable,” Jeff Bohren, Chief Software Engineer at Optimal IdM suggests.
Boren mentioned that users look for a password manager which is cloud based along with two-factor authentication.
“2FA does a good job of allowing only individual account owners access to their login credentials,” Bohren said. “If hackers do succeed in guessing a password, they must still breach additional authentication steps before they can reach important data.”
___________________________________________________________________________________
AlertSec ACCESS is a patent pending technology. It is designed to enforce that devices are encrypted before access to a network is granted. Encrypted devices secure your data in case a device is lost or stolen.
