The Google Project Zero researcher Tavis Ormandy has found a critical flaw in Keeper password manager. The vulnerability is quite similar to one the expert discovered in the same application over a year ago.
Tavis Ormandy found the security flaw after he spotted that Keeper is already installed by default in Windows 10. The researcher reported a similar vulnerability about a year ago and reproduced the same attack with only a few minor modifications.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy said. “I checked and, they’re doing the same thing again with this version.”
The critical flaw affects the Keeper browser extensions, which, unless users opt out, are installed together with the Keeper desktop application. If hackers succeed to convince an authenticated user to access a specially crafted website, the vulnerability let the attackers steal passwords stored by the application.
Within 24 hours of being notified by Ormandy, Keeper released a security patch. The fix was included in version 11.4.4 and it has already been delivered to Edge, Firefox, and Chrome users via the browsers’ automatic extension update process. The Safari users will have to update the extension manually.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper stated in a post informing customers of the vulnerability and the patch.
According to the company, no evidence of exploitation has been found, pointing out that the mobile and desktop applications were not affected by the vulnerability.
A proof-of-concept (PoC) exploit which steals a user’s Twitter password from Keeper was made available by Tavis Ormandy.