Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Response to "AutoSpill" report from Black Hat EU 2023
A presentation at Black Hat EU 2023 discussed credential stealing on mobile password managers. Keeper was listed as an impacted application. Keeper has safeguards in place to protect against this issue as described below.
On May 31, 2022, Keeper received a report from the researcher about a potential vulnerability. We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record.
Keeper has safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information. On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.
Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store. The user would then need to install the malicious application from Google Play and transact with the application. Alternatively, the user would need to override important security settings on their device in order to sideload a malicious application.
Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.
A screenshot of Keeper's protection in place is displayed below. A user is prompted to trust the application from retrieving and filling the specified credentials. This security feature has been in place for several years and no additional updates are required.
This simple Android app demonstration can be viewed on Keeper's public Github repo: https://github.com/Keeper-Security/android_webview_autofill
To learn more about how to keep your smartphone safe, please visit: https://www.keepersecurity.com/blog/2022/10/13/how-to-keep-your-smart-phone-safe-and-personal/
If you have any questions, please email us at security@keepersecurity.com.
Bitwarden vulnerability with biometric key storage
https://nvd.nist.gov/vuln/detail/CVE-2023-27706
Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes.
Keeper is not impacted by this issue. To ensure that we were not impacted by a similar vulnerability, Keeper contracted a 3rd party penetration tester in July 2023 to validate our protection against this type of attack. The report PDF is posted below:
If you have any questions, please email us at security@keepersecurity.com.
Okta security breach disclosed in October 2023
Keeper Security does not use any of Okta’s products internally - for Single Sign-On (SSO) or any other purpose. Therefore, Keeper’s internal business operation was not impacted by the security incident at Okta.
Keeper is a zero-knowledge and zero-trust cybersecurity platform which means that all of the encryption of user data occurs on the user's device, and Keeper does not have the ability to access any customer data. Further, least-privilege, role-based access control and delegated administration permit and restrict access for all users in the system. Keeper's employees utilize the Keeper Enterprise platform for authenticating into websites and applications using strong and unique passwords generated by our software.
Keeper SSO Connect® is a powerful feature of the Keeper platform which provides customers with the ability to authenticate into their Keeper vaults using their preferred SAML 2.0 identity provider - both on-premises and in the cloud. Keeper SSO Connect, when properly configured with Okta SSO, provides enterprise-wide authentication and end-to-end encryption with zero-knowledge and zero-trust security.
For those customers who use Okta with Keeper SSO Connect for accessing their Keeper vaults, please implement the following best practices:
Enforce MFA on the Keeper vault in addition to enforcing MFA at Okta for all privileged users. Keeper is the only Enterprise Password Manager that provides an additional layer of MFA to reduce the risk associated with an identity provider takeover attack.
To prevent users from accessing their work vaults outside of approved locations and networks, administrators should activate IP Address Allowlisting. This is a role-based enforcement setting in the Keeper Admin Console which enforces that users can only access their vaults when their device is on an approved network. This should always be enforced for administrative roles.
Reduce administrator privilege for SSO-enabled accounts. If an administrator uses Okta to authenticate into the Keeper platform, reduce the role privilege so that their administrative responsibility is limited in scope to perform their role with the organization.
Ensure that at least one administrator is able to access the Keeper platform using a Master Password authentication method in case the SSO identity provider is unavailable.
Activate Keeper's event reporting and alerting system into your security operations. Keeper integrates into any popular SIEM solution including Splunk and Datadog. In the Keeper Admin Console, alerts can be configured to notify your security team covering over 200 different event types.
If you have any questions please contact security@keepersecurity.com.
Heap buffer overflow in libvpx
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
If you have any questions, please email us at security@keepersecurity.com.
Keeper Security is aware of the , where cybercriminals accessed client files through its support system. As part of its support process and system, Okta’s customers upload HTTP Archive (HAR) files which contain sensitive information from the user's web browser. This information included session tokens that were used to impersonate several Okta customers.
Keeper Security may have been impacted by this vulnerability in the Desktop App since we use the Electron framework. As a precaution, we immediately updated to Electron framework version to v22.3.25 and published .
Heap buffer overflow vulnerability in the WebP Codec
https://nvd.nist.gov/vuln/detail/CVE-2022-21449
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical).
Keeper Security may be impacted by this vulnerability in the Desktop App since we use the Electron framework. As a precaution, we immediately updated to Electron framework version to v22.3.24 and published Keeper Desktop version 16.10.8.
If you have any questions, please email us at security@keepersecurity.com.
"Psychic Signatures" vulnerability in the Oracle Java SE, Oracle GraalVM
https://nvd.nist.gov/vuln/detail/CVE-2022-21449
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
Oracle link:
https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA
Keeper Security is not impacted by this vulnerability. Keeper does not use Java runtimes that are affected, as reported by Oracle. Keeper also does not use the ECDSA implementation in the built-in Java library. Keeper uses BouncyCastle for ECDSA implementation, which is not impacted.
If you have any questions, please email us at security@keepersecurity.com.
HTTP/2 protocol denial of service
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Keeper Security's application servers are protected by AWS Shield which defends against DDoS attacks, and Keeper is not vulnerable to this attack. More info is posted on Amazon's blog here.
If you have any questions, please email us at security@keepersecurity.com.
Response to CVE-2023-36266
https://nvd.nist.gov/vuln/detail/CVE-2023-36266
A researcher filed a CVE (CVE-2023-36266) in regards to the scanning of local memory when using Keeper Desktop and browser extension software.
We have disputed this CVE. Keeper performs quarterly pen testing with 3rd party experts including NCC Group, Cybertest and independent security researchers against all of our products and systems. Keeper has also partnered with Bugcrowd to manage its vulnerability disclosure and bug bounty programs. As part of our testing, we explicitly test the storage of secrets in memory while our applications are in use, and when logged out. Keeper removes all decrypted vault data from memory upon logout and provides settings to also wipe memory and restart the app upon vault auto-lock. This functionality has been verified by our pen testers and the test results are available for customer review.
As with any software product, if an attacker controls the local computer, the attacker can perform any action the user or an application could perform. In the case of a password manager, if an attacker can read arbitrary memory, then an attacker can read decrypted contents of the password manager while the application is in use. This applies to any password management product. Security researchers understand that a fully compromised device scenario has severe implications for the user.
Keeper has multiple security mechanisms in-place to defend against compromised end-user devices. Keeper client software only decrypts the user's vault upon successful login, and only stores decrypted values during use in volatile memory. When a user is logged out or timed-out, decrypted values are removed from memory. In addition, the Keeper desktop application provides a setting in the "Security" screen which forces a full application restart upon auto-logout, to ensure that data is cleared upon locking. In the case of a web browser such as Chrome, Keeper requests the clearing of memory after logout, however the memory management of the underlying browser is outside of Keeper’s control and can sometimes take time for the memory management system to complete this operation.
With all end-user software, it's important to ensure that users reduce the risk of a compromised device by following security best practices, keeping all software up-to-date and installing adequate antivirus / malware protection software.
Keeper has stood by its commitment to protect your most valuable data for more than a decade, through our best-in-class Zero-Knowledge and Zero-Trust security model and transparent approach to sharing it with the public. For information regarding Keeper's security and encryption model, please visit:
https://docs.keeper.io/enterprise-guide/keeper-encryption-model
If you have any questions, please email us at security@keepersecurity.com.