New issue
Advanced search Search tips

Issue 1481 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:



Sign in to add a comment

keeper: privileged ui injected into pages (again)

Project Member Reported by taviso@google.com, Dec 14 2017

Issue description

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (   issue 917   ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

https://lock.cmpxchg8b.com/keepertest.html

Please consider adding regression tests before releasing an update for this issue.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Windows 7-2017-12-13-16-33-37.png
43.2 KB View Download
Project Member

Comment 1 by taviso@google.com, Dec 14 2017

Description: Show this description
Project Member

Comment 2 by taviso@google.com, Dec 14 2017

Description: Show this description
Project Member

Comment 3 by taviso@google.com, Dec 14 2017

Keeper replied "we should have a fix built tomorrow and I will let you know when it has been published".

We discussed possible fixes, it sounds like they're just going to disable the feature for now.

Project Member

Comment 4 by taviso@google.com, Dec 15 2017

Status: Fixed (was: New)
Keeper have told me they've released a fixed version.
Project Member

Comment 5 by taviso@google.com, Dec 15 2017

Labels: -Restrict-View-Commit
Version 11.4.4 was released 24 hours after the report.  Here's our blog post:
https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/

 
Project Member

Comment 7 by taviso@google.com, Dec 17 2017

Keeper sent me a mail requesting multiple changes to this report, the crux of their concern is that they believe the Keeper browser extension is a separate product to their Keeper desktop application, and believe this report conflates the two products.

The keeper browser extension is installed as part of the default setup flow for the Keeper application, the relevant prompt can be seen in the attached screenshot. Unless a user clicks "Skip" in this dialog, they would be affected by this vulnerability. I stand by my original assessment of this issue, and consider clicking "Skip" here a non-default configuration.

A user must have completed the setup flow to be vulnerable - the existence of the keeper icon in the start menu alone is not sufficient. If a user has clicked the icon and started using Keeper in the default configuration, they would be vulnerable.


keeper.jpg
17.5 KB View Download

Sign in to add a comment