DEF CON 2025

Response to "Clickjacking" report from DEF CON 2025

Description

At DEF CON 33, a researcher presented on Clickjacking (UI redressing), where users can be tricked into clicking hidden UI elements. The researcher showed a scenario in which a malicious site could prompt a user to click on a transparent password manager autofill interface.

Keeper already blocks cross-domain autofill but collaborated with the researcher to further strengthen the browser extension as described below. We value the security research community and regularly collaborate with researchers to help protect our customers.

Timeline

  • Apr 9, 2025: Researcher reported the issue. Keeper classified it as low severity since autofill from untrusted domains is already blocked.

  • Apr 15, 2025: Engineering delivered a patched test build to the researcher within 8 days. Researcher noted the fast response.

  • May 26, 2025: Fix released in browser extension v17.1.2 (see release notes).

  • July 25, 2025: Additional edge-case protections added in v17.2.0 (see release notes).

Keeper's Protection

Keeper’s browser extension is designed to autofill credentials and payment information only on websites explicitly saved by the user. This creates a trust relationship between the user and the destination website. Keeper does not allow cross-domain autofill under any circumstances.

Users can optionally enforce stricter matching by requiring a full subdomain match for autofill. This behavior can be enabled via the browser extension’s settings, and it can also be enforced organization-wide by administrators through role-based policies in the Keeper Admin Console.

Autofill of payment cards and address information only occurs if the site matches a saved record in the user's vault, and the user has explicitly saved those details for the site. If a match does not exist, the user must manually confirm the autofill operation through a native popup dialog.

Reported Behavior:

The scenario reported by the researcher required:

  1. Explicitly saving a Keeper record for a malicious or compromised website to your vault,

  2. Visiting that site again, and

  3. Interacting (clicking multiple times) on UI elements overlaid with a transparent Keeper autofill interface.

In this context, the user has already trusted the website by saving credentials to their vault with the exact root domain of the website. There is no vector for a different, unrelated root domain to initiate autofill without this precondition.

Because this relies on the user already trusting and saving the same domain, there is no cross-domain attack vector. The issue was therefore rated low severity, but Keeper implemented additional protections as a precaution.

Updating

The Keeper Browser Extension v17.2 updates automatically across Chrome, Firefox, Edge, Safari, Brave, and other Chromium-based browsers. No further action is required by users.

Contact

If you have any questions, please email us at [email protected].

PreviousSecurity AdvisoriesNextCVE-2024-35164

Last updated

Was this helpful?