New issue
Advanced search Search tips

Issue 917 link

Starred by 3 users

Issue metadata

Status: Fixed
Closed: Nov 2016

Sign in to add a comment

Keeper: Trusted UI is injected into untrusted webpage

Project Member Reported by, Aug 26 2016

Issue description

I took a quick look at Keeper, a password manager for Windows, Mac, Linux. The extension injects it's trusted UI into untrusted webpages with a content script. I don't think that's safe to do.

I'm not a web developer, but you can see what I mean in the attached example. I only tested it in Chrome.

A more polished example is obviously possible.

The example does this:

1. Click the little keeper icon you add to input boxes, that's just: document.getElementById('keeper-icon-2').click();
2. Click the search button in the popup that appears.
3. Search for "Google", e.g. document.getElementById('keeper-search-box-input').value="Google"
4. wait for the search results to appear, then hide the iframe.
5. When the user is about to click, display it and then wait for the password to be inserted.
6. Now the page can read the password.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.


Comment 1 Deleted

Project Member

Comment 2 by, Aug 26 2016

I tried to make the example more reliable.

5.0 KB View Download

Comment 3 Deleted

Project Member

Comment 4 by, Aug 26 2016

Keeper sent me an updated build that removes the search feature I was using. I suppose that solves the immediate problem. I noticed that the way messages were passed didn't seem safe though.

For example, it's possible to log someone into your account and then when they save their passwords, they're effectively giving them to you.

For example a website can do this:

x ="");
x.postMessage({client: "ext", cmd: "logout"},"*")
x.postMessage({client: "ext", cmd: "login", login: "", password: "attackerspassword"}, "*")

And now whenever you save a password, you're unknowingly saving it to the attackers. I asked why there isn't a check for message.origin == "chrome-extension://...", etc.

Project Member

Comment 5 by, Aug 27 2016

I uploaded the example here for testing.
Project Member

Comment 6 by, Aug 27 2016

Labels: -Restrict-View-Commit
Summary: Keeper: Trusted UI is injected into untrusted webpage (was: Keeper: trusted UI is injected into untrusted webpage)
It looks like the 10.1.3 update is live on the chrome web store, removing view restriction.
This issue has been fixed with Keeper Browser Extension v10.1.3 which is live on Chrome web store.  Below is the blog post related to the issue:

Project Member

Comment 8 by, Nov 1 2016

Status: Fixed (was: New)

Sign in to add a comment