Released on September 30, 2019. Full rollout after 24 hours.
This is a feature update, bug fix and security update for the Keeper browser extension on Chrome, Firefox and Edge browsers.
Changed default password generator length to 20 characters
Improved filling for sites that separate login and password on different screens (Google, IBM Cloud, etc...)
Improved several sites for two-factor code filling (Amazon AWS, Rackspace, Dropbox, several others)
Fixed: Sites that override iFrame styles (datto.com)
Fixed: Zendesk.com login
Fixed: caremark.com
Fixed: Pasting a Password string into an edited record not functioning consistently
Fixed: Removed locks appearing on buttons (Okta.com)
Security Update 1: UI Clickjacking on partially visible form To prevent malicious websites from performing "clickjacking" attacks against the Keeper extension on partially visible forms (specifically the payment card and address info), we have added additional protections. Users are now prompted to confirm their intention to load payment card and address details. The methods used to load information are blocked until such time that the user approves the action. If the user has a login/password saved for the website previously, the user will not be prompted for the additional confirmation.
Special thanks to the security researcher who submitted the report to Keeper's security team via the Bugcrowd Bug Bounty program.
Security Update 2: Renderer compromise scenario
Chrome's "Site Isolation" protects users against attackers who have an ability to compromise renderer process. This means that an attacker who can run arbitrary code inside renderer process can't steal information from other sites. In the remote case that an attacker has successfully compromised the Chrome web browser and defeated the "Site Isolation" capabilities of Chrome, additional protections can be put in place to ensure that the Keeper extension cannot also be compromised by sending arbitrary messages to the Keeper background process. A link to a discussion on this topic can be found here: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/0ei-UCHNm34 Although an attacker would need to first defeat Chrome's site isolation, the Chrome team and a prominent security researcher now recommends that all browser extension developers implement the necessary changes. To resolve this potential issue, Keeper now performs additional message checks to ensure the originator of the message, even in the case of a compromised Chrome browser. Special thanks to the security researcher who submitted the report to Keeper's security team via the Bugcrowd Bug Bounty program. For more information about the Keeper Security Bug Bounty Program or to submit a bug, please visit: https://bugcrowd.com/keepersecurity