The Keeper browser extension flaw: How can users stay secure?

The Keeper browser extension had a vulnerability that highlighted security issues with password managers. Expert Michael Cobb looks at how to avoid security flaws in these tools.

The recent discovery of a flaw in the Keeper browser extension raised concern about password managers. What was the issue with this particular password manager extension? What steps can be taken to avoid issues like the one in the Keeper password manager?

Password management software helps users to cope with the multitude of passwords they need to access online accounts and services. Instead of remembering and manually entering a password, a password manager stores the credentials for different sites and autofills them for the user when they visit those sites. The passwords are encrypted and protected by a master password.

By enabling a user to easily choose a different, complex password for each site, a compromise of one account or set of credentials doesn't immediately put the other accounts at risk. This is a best practice as it makes it a lot easier for people to use long, complex passwords instead of reusing the same password for every site, as many people tend to do. This greatly improves the average user's online security.

Password managers can run locally in the cloud or on a hardware device. Since the Windows 10 Anniversary Update -- version 1607 -- Microsoft has included its own password manager app called Keeper delivered via its Content Delivery Manager and provided by Keeper Security Inc., a password management company based in Chicago.

The master password used to control access to a password manager must be kept very secure, as it provides access to lots of passwords and other personal information that may be stored by the software. The password management software, interface and any APIs that connect it to the browser must also be very robust, but security researcher Tavis Ormandy from Google Project Zero found a flaw in the Keeper browser extension.

The Keeper browser extension is installed as part of the default setup for the Keeper password manager application, and the vulnerability was caused by a new feature added in version 11.3 and released on Dec. 8, 2017. Windows 10 users weren't affected unless they opened the Keeper password manager and enabled the software to store their passwords. Ormandy previously found a flaw with the Keeper plug-in that exploited an on-page feature of the browser extension, and this new flaw is very similar.

The extension injects privileged search elements into webpages that may not be from trusted websites. If a user is tricked into visiting a compromised site and clicks on the Keeper lock icon, a hacker can take advantage of Keeper's search feature to extract a credential from the vault, completely compromising the security of the password management software. Ormandy included a link to a working demo that shows how the vulnerability can be used to steal a visitor's Twitter password by using malicious code injection to execute privileged code within the browser extension.

This flaw in the Keeper browser extension was fixed within 24 hours of Keeper Security receiving Ormandy's report, and an updated version of the browser extension was pushed out for Microsoft Edge, Google Chrome and Mozilla Firefox -- Apple Safari users need to perform a manual update. Keeper developers addressed the vulnerability by removing the Add to Existing feature and making additional changes.

Getting the balance right between convenience and security is never easy. While password managers can improve the strength and variety of a user's login credentials, they are a single point of compromise. Users must follow best practices, like frequently changing the master password.

However, avoiding a browser's autofill functionality greatly reduces the convenience of a password manager. Many experts believe multifactor authentication, biometrics and smart cards are better options than having a browser save a user's passwords.

Finally, network administrators should review the default settings of Microsoft's Content Delivery Manager to stop it from installing unwanted applications.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security