Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
HTTP/2 protocol denial of service
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Keeper Security's application servers are protected by AWS Shield which defends against DDoS attacks, and Keeper is not vulnerable to this attack. More info is posted on Amazon's blog here.
If you have any questions, please email us at security@keepersecurity.com.
Notices of recent security advisories and impact on Keeper
As new security advisories are published online for various systems, Keeper Security will post relevant information here.
Response to "AutoSpill" report from Black Hat EU 2023
A presentation at Black Hat EU 2023 discussed credential stealing on mobile password managers. Keeper was listed as an impacted application. Keeper has safeguards in place to protect against this issue as described below.
On May 31, 2022, Keeper received a report from the researcher about a potential vulnerability. We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record.
Keeper has safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information. On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.
Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store. The user would then need to install the malicious application from Google Play and transact with the application. Alternatively, the user would need to override important security settings on their device in order to sideload a malicious application.
Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.
A screenshot of Keeper's protection in place is displayed below. A user is prompted to trust the application from retrieving and filling the specified credentials. This security feature has been in place for several years and no additional updates are required.
This simple Android app demonstration can be viewed on Keeper's public Github repo: https://github.com/Keeper-Security/android_webview_autofill
To learn more about how to keep your smartphone safe, please visit: https://www.keepersecurity.com/blog/2022/10/13/how-to-keep-your-smart-phone-safe-and-personal/
If you have any questions, please email us at security@keepersecurity.com.
Detailed release notes for Keeper Security software on mobile, web, desktop and backend platforms.
Keeper Security posts all release notes, relevant JIRA ticket numbers and links to product documentation on every release.
Release notes:
SSO Connect On-Prem (SSO Cloud is part of Backend API)
Keeper is ISO 27001, 27017 and 27018 certified. Keeper is GDPR compliant, CCPA compliant, HIPAA compliant, FedRAMP and StateRAMP Authorized, PCI DSS certified and certified by TrustArc for privacy.
Security and encryption documentation is published online here.
Bitwarden vulnerability with biometric key storage
https://nvd.nist.gov/vuln/detail/CVE-2023-27706
Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.
Keeper is not impacted by this issue. To ensure that we were not impacted by a similar vulnerability, Keeper contracted a 3rd party penetration tester in July 2023 to validate our protection against this type of attack. The report PDF is posted below:
If you have any questions, please email us at security@keepersecurity.com.
Heap buffer overflow vulnerability in the WebP Codec
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical).
Keeper Security may be impacted by this vulnerability in the Desktop App since we use the Electron framework. As a precaution, we immediately updated to Electron framework version to v22.3.24 and published .
If you have any questions, please email us at security@keepersecurity.com.
"Psychic Signatures" vulnerability in the Oracle Java SE, Oracle GraalVM
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
Oracle link:
Keeper Security is not impacted by this vulnerability. Keeper does not use Java runtimes that are affected, as reported by Oracle. Keeper also does not use the ECDSA implementation in the built-in Java library. Keeper uses BouncyCastle for ECDSA implementation, which is not impacted.
If you have any questions, please email us at security@keepersecurity.com.