Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Response to "AutoSpill" report from Black Hat EU 2023
A presentation at Black Hat EU 2023 discussed credential stealing on mobile password managers. Keeper was listed as an impacted application. Keeper has safeguards in place to protect against this issue as described below.
On May 31, 2022, Keeper received a report from the researcher about a potential vulnerability. We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record.
Keeper has safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information. On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.
Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store. The user would then need to install the malicious application from Google Play and transact with the application. Alternatively, the user would need to override important security settings on their device in order to sideload a malicious application.
Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.
A screenshot of Keeper's protection in place is displayed below. A user is prompted to trust the application from retrieving and filling the specified credentials. This security feature has been in place for several years and no additional updates are required.
This simple Android app demonstration can be viewed on Keeper's public Github repo: https://github.com/Keeper-Security/android_webview_autofill
To learn more about how to keep your smartphone safe, please visit: https://www.keepersecurity.com/blog/2022/10/13/how-to-keep-your-smart-phone-safe-and-personal/
If you have any questions, please email us at security@keepersecurity.com.
Bitwarden vulnerability with biometric key storage
Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.
Keeper is not impacted by this issue. To ensure that we were not impacted by a similar vulnerability, Keeper contracted a 3rd party penetration tester in July 2023 to validate our protection against this type of attack. The report PDF is posted below:
If you have any questions, please email us at security@keepersecurity.com.
Heap buffer overflow in libvpx
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Keeper Security may have been impacted by this vulnerability in the Desktop App since we use the Electron framework. As a precaution, we immediately updated to Electron framework version to v22.3.25 and published .
If you have any questions, please email us at security@keepersecurity.com.
Response to CVE-2023-36266
https://nvd.nist.gov/vuln/detail/CVE-2023-36266
A researcher filed a CVE (CVE-2023-36266) in regards to the scanning of local memory when using Keeper Desktop and browser extension software.
We have disputed this CVE. Keeper performs quarterly pen testing with 3rd party experts including NCC Group, Cybertest and independent security researchers against all of our products and systems. Keeper has also partnered with Bugcrowd to manage its vulnerability disclosure and bug bounty programs. As part of our testing, we explicitly test the storage of secrets in memory while our applications are in use, and when logged out. Keeper removes all decrypted vault data from memory upon logout and provides settings to also wipe memory and restart the app upon vault auto-lock. This functionality has been verified by our pen testers and the test results are available for customer review.
As with any software product, if an attacker controls the local computer, the attacker can perform any action the user or an application could perform. In the case of a password manager, if an attacker can read arbitrary memory, then an attacker can read decrypted contents of the password manager while the application is in use. This applies to any password management product. Security researchers understand that a fully compromised device scenario has severe implications for the user.
Keeper has multiple security mechanisms in-place to defend against compromised end-user devices. Keeper client software only decrypts the user's vault upon successful login, and only stores decrypted values during use in volatile memory. When a user is logged out or timed-out, decrypted values are removed from memory. In addition, the Keeper desktop application provides a setting in the "Security" screen which forces a full application restart upon auto-logout, to ensure that data is cleared upon locking. In the case of a web browser such as Chrome, Keeper requests the clearing of memory after logout, however the memory management of the underlying browser is outside of Keeper’s control and can sometimes take time for the memory management system to complete this operation.
With all end-user software, it's important to ensure that users reduce the risk of a compromised device by following security best practices, keeping all software up-to-date and installing adequate antivirus / malware protection software.
Keeper has stood by its commitment to protect your most valuable data for more than a decade, through our best-in-class Zero-Knowledge and Zero-Trust security model and transparent approach to sharing it with the public. For information regarding Keeper's security and encryption model, please visit:
https://docs.keeper.io/enterprise-guide/keeper-encryption-model
If you have any questions, please email us at security@keepersecurity.com.
Heap buffer overflow vulnerability in the WebP Codec
https://nvd.nist.gov/vuln/detail/CVE-2022-21449
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical).
Keeper Security may be impacted by this vulnerability in the Desktop App since we use the Electron framework. As a precaution, we immediately updated to Electron framework version to v22.3.24 and published Keeper Desktop version 16.10.8.
If you have any questions, please email us at security@keepersecurity.com.
HTTP/2 protocol denial of service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Keeper Security's application servers are protected by AWS Shield which defends against DDoS attacks, and Keeper is not vulnerable to this attack. More info is posted on .
If you have any questions, please email us at security@keepersecurity.com.
Solutions to common Keeper issues and questions based on platform
Detailed release notes for Keeper Security software on mobile, web, desktop and backend platforms.
Keeper Security posts all release notes, relevant JIRA ticket numbers and links to product documentation on every release.
Release notes:
SSO Connect On-Prem (SSO Cloud is part of Backend API)
Keeper is ISO 27001, 27017 and 27018 certified. Keeper is GDPR compliant, CCPA compliant, HIPAA compliant, FedRAMP and StateRAMP Authorized, PCI DSS certified and certified by TrustArc for privacy.
Security and encryption documentation is published online here.
"Psychic Signatures" vulnerability in the Oracle Java SE, Oracle GraalVM
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
Oracle link:
Keeper Security is not impacted by this vulnerability. Keeper does not use Java runtimes that are affected, as reported by Oracle. Keeper also does not use the ECDSA implementation in the built-in Java library. Keeper uses BouncyCastle for ECDSA implementation, which is not impacted.
If you have any questions, please email us at security@keepersecurity.com.
Troubleshooting and support for the Web Vault and Keeper Desktop App
All Keeper Desktop apps are available at the .
Web Vault and Desktop App user guides are .
If you receive an "Unexpected Error" or "Unable to connect" when performing an import using the Keeper Import tool, this is typically due to a conflict with installed Antivirus or Proxy software. If this happens for you, please try importing by installing the Keeper Desktop application instead.
If you are an Enterprise Admin and you have control over the end-user firewall settings, please make sure that the user's desktop applications can communicate with Keeper Security's endpoints (e.g. keepersecurity.com
, keepersecurity.eu
, keepersecurity.ca
, keepersecurity.jp
, keepersecurity.com.au
or govcloud.keepersecurity.us
depending on the region).
If you are experiencing issues with logging in, you may need to simply clear the Keeper cache on your browser. Here's the steps:
Chrome:
Open the Web Vault
Click on "View" > "Developer" > "Developer Tools"
Click on the "Application" tab > "Clear Storage" > then click on “clear site data”
Edge:
Clear Browsing data (Browsing history, Download History, Cookies and other Site Data, Cached Images and Files, Hosted App Data).
Firefox:
On Privacy & Security page > Clear Data, (Cookies and Site data, Cached Web Content)
Safari:
Go to Preferences > Advanced > select checkbox "Show Develop menu in menu bar"
Then select "Develop" > Empty Caches
Select "Safari" menu then "Clear History" and select All Time
If you receive this error when updating or installing the Desktop App on Windows, follow the below instructions.
1. Browse to "C:\Windows\SoftwareDistribution\Download" and delete the contents of the folder.
2. Press Windows key + X > Click Command Prompt (Admin) then type "wuauclt.exe /updatenow". Hit <enter>.
3. Open Control Panel > Windows Update and Windows 10 should begin downloading..
Press Windows key + X
Click Command Prompt (Admin)
Type in at the prompt OR Copy and Paste these one at a time : (Hit enter after each)
Dism /Online /Cleanup-Image /CheckHealth
Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /RestoreHealth
also, run the Windows update Troubleshooter and check if it helps:
Press “Windows + X” and select Control panel.
In the search box, type troubleshooter, and then click Troubleshooting.
Under System and Security, click Fix problems with Windows Updates.
We love hearing from customers. Send your feature requests to: feedback@keepersecurity.com.
The Mac Store version of the Keeper application does not support iCloud Keychain password import due to Apple's review process. However, the solution is to install Keeper Desktop directly from our .
Join our to post questions, feedback or receive new beta versions.
Notices of recent security advisories and impact on Keeper
As new security advisories are published online for various systems, Keeper Security will post relevant information here.
Troubleshooting and support for desktop browser extensions and Autofill
All KeeperFill browser extensions are available at the Keeper download page.
KeeperFill user guides are located here.
We used to have 2 versions of the Firefox extension in the Add-on store. We removed one of them and disabled the use of old versions. Please ensure that you are using only one extension, and ensure it's the latest one from our download page.
A new Safari extension is now available through the Mac App store. Old versions of the Safari extension have been disabled. Please ensure that you are running the latest version from our download page. Make sure to read the latest Safari user guide for step by step instructions.
If you are unable to login to the KeeperFill Safari extension, a reset of the extension may be required. To reset your KeeperFill Safari extension, follow the below steps:
Open Safari and select Safari > Settings
From the Keeper extension, select Settings
Click on "Clear All Storage"
Restart Safari
If you are having issues with Autofill, please make sure you check the below:
Make sure you only have ONE version of Keeper browser extension installed and active.
Don't have multiple password managers installed, such as LastPass and Keeper at the same time. This is known to cause conflicts and bugs when filling sites.
Make sure to turn off your browser's password manager.
Install any pending browser updates. Pending browser updates cause issues with browser plugins.
Ensure that "on all sites" is selected in your browser settings under Window > Extensions > Keeper Details screen under "Site access".
You can sometimes self-fix an Autofill issue by visiting this helpful guide.
If you still need help, this page describes how to capture information that our support team needs to help diagnose the problem.
Send any site-specific Autofill issues to feedback@keepersecurity.com and we'll fix it.
Enterprise customers can disable KeeperFill on sites across the organization. Please be sure to add the site's website address to the KeeperFill enforcement policy for the role in which you reside.
Admins can disable Keeper-fill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable Keeper-fill for internal applications that have a lot of form fields. Read more about this policy.
See our general Browser Extension troubleshooting page
If you're having Autofill issues, see the Autofill feedback page
If you are a website developer looking to integrate, see our Website developers page
We love hearing from customers. Send your feature requests to: feedback@keepersecurity.com.
Join our Beta Slack Channel to post questions, feedback or receive new beta versions.
Released September 20, 2024
VAUL-6966: Updated the vault login screen animations to stop after 30 seconds
VAUL-6606: Updated the remaining router API endpoints to enhance performance and security.
VAUL-6785: Adjusted the location of the visibility "eyeball" icon for long passwords, ensuring consistent UI across all record views.
VAUL-6821: Introduced a new dialog that users are required to accept when being invited to a managed enterprise. Letting users know the enterprise administrator has the ability to manage their vault in accordance with company policies.
VAUL-6866: Updated URL handling to restrict it to standard HTTP/HTTPS protocols, improving security and validation.
VAUL-6869: Updated the title and meta description of the settings page to enhance SEO and search engine visibility.
VAUL-5853: Addressed formatting inconsistencies within custom record types for Security Q&A fields.
VAUL-5898:Fixed an issue where using the search and location filter together resulted in invalid or unexpected search results.
VAUL-6051: Fixed an issue where the UI adjusted incorrectly after closing an error message generated by an invalid value in the native app filler.
VAUL-6247: Fixed a bug where the "Success" message was missing after successfully removing users from shared records.
VAUL-6312: Resolved a security issue where creating a duplicate record allowed shared users to access the full history, including previous sensitive information.
VAUL-6385: Updated privacy screen for Teams / Owners, ensuring compliance with privacy requirements.
VAUL-6403: Fixed an issue where users with role-based enforcements preventing record creation in shared folders were not receiving feedback when using "Create Duplicate" on a V2 General record.
VAUL-6424: Fixed visual artifacts in the left navigation bar that appeared as unexpected white pixels.
VAUL-6598: Fixed an issue where dropdown menus opened via the enter key couldn't be navigated using arrow or tab keys, improving screen reader accessibility.
VAUL-6599: Resolved an issue where users needed to press the arrow key twice to focus on both icons and text when navigating the "Create New" menu or filter dropdowns via the Enter key.
VAUL-6609: Addressed an issue where attachments in the detail pane of V3 shared records were not being displayed properly after edit or sync.
VAUL-6652: Resolved UI issue where the PAM script model was cut off, improving the user experience.
VAUL-6806: Fixed an issue where security data updates were not occurring as expected, improving data reliability.
VAUL-6827: Resolved an issue where extra white space appeared in custom fields, improving layout consistency.
VAUL-6839: Addressed issues related to missing or bad security data being propagated in certain scenarios.
VAUL-6865: Removed the deprecated asmcrypto.js dependency, improving app performance and security.
VAUL-6882: Fixed a password complexity error that occurred during save, when using the password rotation setting in certain scenarios.
VAUL-6912: Resolved overlapping text issues on Mac/Chrome browsers when displaying tabs.
VAUL-6964: Fixed an issue where the logout timer enforcement was not working as intended.
VAUL-6967: Applied updates to sync timeline, loading vault records and then updating BreachWatch & Security Audit scores.
Troubleshooting and support for the Keeper Android App
Keeper for Android is available at the .
Android user guides are with additional info about .
If you are receiving an error on your mobile app, please make sure to update to the latest version. After you update, we recommend performing a Full Sync by clicking on Sync > Sync Now. This tends to resolve any searching or record-related issues.
If adding a password on your desktop doesn't automatically sync down your Android device, ensure that push notifications are enabled.
Android apps use push notifications for functionality such as:
Realtime sync
Device approvals
Sharing notifications
Please ensure that push notifications are enabled on your device. Also, "Do Not Disturb" mode will prevent certain notifications from appearing.
Having issues on iOS or Android? You may need to simply clear the cache on your device and reset the app settings. But before you do that, please make sure your data is fully available on the Keeper Web Vault or Desktop App.
Go to your device Settings icon, and then tap on the Applications menu. Scroll down until you see the Keeper icon and tap on it. Click on the Clear Data button, and then click OK. The next time you load Keeper, it will be reset to its original settings. Another way is to press-and-hold on the Keeper icon, then open the application info and clear the data.
Re-install Keeper from Google Play on your device
Launch Keeper and Login to your account. You will be asked to approve the device during the login process.
We love hearing from Android customers. Send your feature requests to: feedback@keepersecurity.com.
Okta security breach disclosed in October 2023
Keeper Security is aware of the , where cybercriminals accessed client files through its support system. As part of its support process and system, Okta’s customers upload HTTP Archive (HAR) files which contain sensitive information from the user's web browser. This information included session tokens that were used to impersonate several Okta customers.
Keeper Security does not use any of Okta’s products internally - for Single Sign-On (SSO) or any other purpose. Therefore, Keeper’s internal business operation was not impacted by the security incident at Okta.
Keeper is a zero-knowledge and zero-trust cybersecurity platform which means that all of the encryption of user data occurs on the user's device, and Keeper does not have the ability to access any customer data. Further, least-privilege, role-based access control and delegated administration permit and restrict access for all users in the system. Keeper's employees utilize the Keeper Enterprise platform for authenticating into websites and applications using strong and unique passwords generated by our software.
Keeper SSO Connect® is a powerful feature of the Keeper platform which provides customers with the ability to authenticate into their Keeper vaults using their preferred SAML 2.0 identity provider - both on-premises and in the cloud. Keeper SSO Connect, when properly configured with Okta SSO, provides enterprise-wide authentication and end-to-end encryption with zero-knowledge and zero-trust security.
For those customers who use Okta with Keeper SSO Connect for accessing their Keeper vaults, please implement the following best practices:
Enforce MFA on the Keeper vault in addition to enforcing MFA at Okta for all privileged users. Keeper is the only Enterprise Password Manager that provides an additional layer of MFA to reduce the risk associated with an identity provider takeover attack.
To prevent users from accessing their work vaults outside of approved locations and networks, administrators should activate IP Address Allowlisting. This is a role-based enforcement setting in the Keeper Admin Console which enforces that users can only access their vaults when their device is on an approved network. This should always be enforced for administrative roles.
Reduce administrator privilege for SSO-enabled accounts. If an administrator uses Okta to authenticate into the Keeper platform, reduce the role privilege so that their administrative responsibility is limited in scope to perform their role with the organization.
Ensure that at least one administrator is able to access the Keeper platform using a Master Password authentication method in case the SSO identity provider is unavailable.
Activate Keeper's event reporting and alerting system into your security operations. Keeper integrates into any popular SIEM solution including Splunk and Datadog. In the Keeper Admin Console, alerts can be configured to notify your security team covering over 200 different event types.
If you have any questions please contact security@keepersecurity.com.
Before resetting your mobile app, make sure you can first access Keeper on the or and ensure that all of your data is appearing.
Join our to post questions, feedback or receive new beta versions.