A serious security flaw in the Keeper password manager allowed malicious websites to steal user credentials of Windows 10 device users, a Google Project Zero researcher has revealed.
The researcher observed that the Keeper password manager injected privileged UI into pages, thereby allowing websites to steal passwords.
According to Tavis Ormandy, a researcher with Google’s Project Zero, this flaw was present in a previous version of the Keeper password manager and considering that the firm was aware of it, it is surprising that the flaw is still present in the latest version of the password managing service.
The Keeper password manager is widely bundled with Windows 10 and hence, a large number of Windows 10 device owners were vulnerable to the security flaw. Keeper, however, patched the flaw once it was contacted by Ormandy.
‘I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and they’re doing the same thing again with this version. This is a complete compromise of Keeper security, allowing any website to steal any password,’ said Ormandy.
‘On Dec 14 2017, Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update. This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a malicious code injection technique to execute privileged code within the browser extension,’ said Keeper in a blog post.
‘From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours,’ it added.
Keeper also said that the latest web browser extension update processes in Edge, Chrome and Firefox browsers now include the latest version of Keeper’s browser extension and that all existing users of these browsers are now covered. It added that while Mobile Apps and Desktop Apps were not affected, none of its customers were affected by the bug.
‘All software will eventually have a vulnerability discovered at some point. Security software such as password managers are no exception to the rule. It is fortunate that researchers such as Tavis work to uncover and disclose such vulnerabilities,’ said Javvad Malik, security advocate at AlienVault to SC Media UK.
‘Keeper demonstrated it does take security seriously with an emergency patch issued within 24 hours of receiving the vulnerability report. A very quick turnaround by any measure,’ he added.