Nmedia - Fotolia

Flawed Keeper password manager preinstalled on Windows 10

Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials.

After learning of the latest flaw found in a password manager, some experts said the most vulnerable aspect of...

these programs are also what make them the most convenient.

Tavis Ormandy, bringer of nightmares for developers and security researcher at Google's Project Zero, discovered an issue in the Keeper password manager browser extension that could allow an attacker to steal user credentials. Ormandy said the issue was especially troubling because the Keeper password manager is installed by default in Windows 10 and the flaw is very similar to another code injection issue he found in Keeper in August 2016.

"I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works," Ormandy wrote in his bug report. "Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password."

According to a blog post about the flaw, Craig Lurey, CTO and co-founder of Keeper Security Inc., based in El Dorado Hills, Calif., said the issue was caused by a new feature added in Keeper password manager version 11.3 and released on Dec. 8, 2017.

Lurey said the Keeper password manager flaw was fixed within 24 hours of the company receiving Ormandy's report.

"To resolve this issue, we removed the 'Add to Existing' flow and have taken additional steps to prevent this potential vulnerability in the future," Lurey wrote in the blog post. "Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously. The security and protection of customer information and data is our top priority at Keeper."

Lurey claimed the mobile and desktop versions of the Keeper password manager were not affected and an updated version of the browser extension has already been pushed out for Microsoft Edge, Google Chrome and Mozilla Firefox. Apple Safari users will need to update manually.

Password manager security

Experts were somewhat split on the value of software like the Keeper password manager with some saying password managers are still the best option, while others pushed for abandoning single passwords in favor of multifactor authentication and biometrics.

If a hacker gains access to a password vault, they literally have access to hundreds of passwords and possibly credit cards, social security numbers, or other personal information.
Lamar Baileysenior director of security research and development, Tripwire

Lamar Bailey, senior director of security research and development at Tripwire, summed up sentiment best.

"Many people rely on password managers to keep track of all the required passwords they need to access all the sites visited daily. It is good that they have become popular and people are not reusing passwords, but this also means they have become a target for hackers," Bailey told SearchSecurity. "If a hacker gains access to a password vault, they literally have access to hundreds of passwords and possibly credit cards, social security numbers or other personal information. Any vulnerability that allows an attacker to access a vault should be treated with the highest priority possible."

Others said the benefits of password managers outweigh the risks as long as users follow "best practices." However, some experts said those best practices include avoiding the autofill options within browsers that can make managers so convenient.

Stephen Coty, chief security evangelist at Alert Logic, said users shouldn't have browsers saving your passwords regardless of if it is in the Keeper password manager extension or not.

"While it's very convenient to have your browser save passwords for some of your more frequented sites like Netflix, Amazon or Hulu, it's just really bad security practice," Coty told SearchSecurity. "To have a password safe and keep it located locally on your person, whether a USB stick on a key chain or located on your smart phone, it does not have to be shared with the cloud or your browser. Keep it personal."

John Steven, senior director at Synopsys, said password manager apps on iOS can include this type of security.

"In this scenario, the user must switch between the application in which they're authenticating and the separate mobile app. The user cuts and pastes their credentials between the two. This compartmentalization disallows the kinds of exploitation we're seeing time-and-time-again, but at a high cost to convenience," Steven told SearchSecurity. "Rather than defeating the underlying encryption that protects users' credentials, many of these vulnerabilities attack password managers' interfaces or the APIs that connect them and the browser they service."

Dig Deeper on Application and platform security