Older release note content is still available, but anything older than the last 10 updates is placed here.

Bug Fixes

• BE-4387: Firefox SSO login from Browser Extension randomly hangs indefinitely

Bug Fixes

• BE-4278: Expiration dates from payment card records not filling properly

• BE-4256: Ensure minimum default password strength on "change password" screens is 20 characters.

• BE-3920: Remember Email setting does not work

• BE-4318: User gets infinite spinner when typing password wrong 2 times

• BE-4319: User logged out with "throttle" error after attempting to on/off logout timer

• BE-4304: User sometimes logged out from "throttle"

• BE-4334: Error when logging into the extension when a URL contains a comma

• BE-4335: Form filling issue on turborater.com

• BE-4337, BE-4338: Remove old unused code references to resolve flagged vulnerabilities on crxcavator.io (https://crxcavator.io/report/bfogiafebfohielmmehodmfbbebbbpei/16.0.3?platform=Chrome)

• BE-4301: Support for new Twitter.com login flows

• BE-4291: Autofilling Facebook in German website does not fill

• BE-4292: URLs with port numbers in the value are not showing properly on search results

• BE-4346: Resolve login issues with Dell.com

• BE-4344: Payment cards and addresses are auto-submitting, this should not occur.

• BE-4355: BE does not enforce "require re-authentication" enforcement

• BE-4301: Support for new Twitter login flow

• BE-4314: Payment card filling broken on craigslist

Improvements

• Several improvements for 508 compliance: Focus events, Voiceover, Labels and Field Instruction

• BE-4332: Improved syncing in environments with thousands of shared records among thousands of users.

Bug Fixes

• BE-4238: Record sort by name/date broken

• BE-4236: Removing hidden classes from CSS caused some sites to break

• BE-4258: TestRAIL website broken

• BE-4235: Toggle of "match on subdomain" shows wrong matching records.

Features

• Updated User interface, added workflow optimizations around filling and viewing sites.

• Support for Record Types. Record Types are launching in late Sept across all devices, however it can be activated for customers on a per-request basis. More information on Record Types is available here: https://docs.keeper.io/enterprise-guide/creating-new-record-types

• 🇺🇸 Support for the Amazon AWS GovCloud environment. Keeper is currently FedRAMP in-process and public sector entities can now establish their Keeper tenant in the GovCloud environment. Contact the public sector sales team at govsales@keepersecurity.com for more information.

• Enhanced 508 Accessibility / Ergonomics support with high contrast themes, larger fonts, better visibility and generally a cleaner layout. Support for screen readers and Keyboard navigation have also been improved.

• Our password generator has has its special characters set expanto this set:

  !@#$%()+;<>=?[]{}^., Adding more special character is a balance between generating the most secure password possible, and ensuring the passwords generated do not cause issues on websites, this evolution increases our password entropy.

Bug Fixes

• BE-4068: Disable Stay Logged In enforcement not allowing user to turn off the setting.

• BE-4138: Better handling of the password strength slider

• BE-4141: Master Password re-entry feature broken on enforcement

• BE-4139: Auto-submit on Microsoft.com

• BE-4085: Logout timer with blank input logs out of the extension

• BE-4100: Extension remembers email when Remember Email is Off

Bug Fixes

• BE-4118: Sites with lots of form fields are slowing down the browser

• BE-4117: After logging into Keeper, the browser extension icon is gray and not activated within the target form.

Bug Fixes

• BE-4112: Autofill issues on jumpcloud.com and classy.org

• BE-4099: Two-Factor Code is being auto-filled in the username field

• BE-4110: Expired user is not getting an Upgrade button

• BE-4111: TOTP code in the form filler is not sync'd with the Vault

Improvements

• BE-4073: Increased the number of special characters to this set: !@#$%()+;<>=?[]{}^.,

• BE-3898: Improved the clarity of the account selection when changing a password.

• The right-click context menu is now usable on the entire page, not just over form fields.

Bug Fixes

• BE-4097: The TOTP code on the browser extension is sometimes different than the Web Vault value.

• BE-3995: Better handling of expired Enterprise accounts

• BE-3935: Wells Fargo login with Single Click Fill

• BE-2107: PNC Bank autofill

• BE-3721: ebanking-services.com autofill

• BE-3404: ZenQMS autofill

• BE-3781: Kaysera autofill

• BE-2215: ringcentral.com, sainsburys

• BE-4054: Compatibility with sites that use craftcms.com

• BE-4060: ESPN.com autofill

• BE-3615: Fixed interference with Vimeo .woff files

• BE-4083: Display if the user's account is throttled

• BE-4095: When there is one username field and 3 password fields, autofill fails

• BE-3397: Autofill on AT&T business portal

• BE-4065: Autofill on abramscapital.com

• BE-4063: Autofill on Staplescopyandprint.ca

• BE-4062: Autofill on smart-trial.co

Bug Fixes and Improvements

• BE-4000: The password generator only allows a maximum of 51 characters (should be 100)

• BE-4008: IP Addresses are displayed and linking incorrectly in record view of search results

• BE-3916: SSO login to extension generates "update your account settings" error

• BE-3742: "Prompt to Update" dialogue disappears too quickly on page redirect

• BE-3707: Payment card autofill fails on portal.azure.com

• BE-4013: Creating a record at walmart.com registration screen submits the form prematurely

• BE-4036, BE-4016, BE-4017, BE-4019, BE-4021: Fill button fails to fill existing record on various sites

• BE-4020, BE-4022: Auto Submit fails on various sites

• BE-4025: Auto Submit occurs on various registration forms when it shouldn't

• BE-4026: The second password fields of various registration forms are not filled when a new record is created

• BE-4015: Privacy Screen allowed user to copy password in one particular flow

• BE-3998: If user explicitly turned Autofill OFF, don't prompt to turn autofill on anymore.

• BE-4002: Improved Password Change detection routine to ensure password is saved even if the user forgets to click Save.

• BE-4035: Records are not deleted for the user immediately when the user is removed from a Team.

• BE-2358: Fixed auto-submit on Lifelock website

• BE-3968: Locked down Content Security Policy embedded within the extension.

• BE-4012: Improved synchronization with the Web Vault and backend system for Logout persistence.

Bug Fixes & Security Updates

• BE-3803: Improved memory management / clearing after logout

• BE-3864: Right click menu to create payment card not working

• BE-3956: Select-all Ctrl+A appended 'a' to end of the string

• BE-3864: Google sign-in screen not prompting to save password

• BE-3914: Stay Logged In sometimes not keeping the user logged in

• BE-3840: Crowdstrike login interferes with icons

• BE-3991: When a user creates a new record from the the password generator, the autofill and autosubmit toggle settings don't save

• BE- 3988: Unable to login to extension when Yubikey is activated (Firefox)

Accessibility (508 Compliance)

• Keeper has been making UI changes across all web-applications and browser extensions to comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d). The Keeper browser extension now supports keyboard navigation and it's compatible with popular screen readers and other assistive technology.

Persistent Search Bar

The vault search bar is always visible, and the search logic matches the Web Vault and Desktop App algorithm exactly. Therefore, the same search can be applied in both platforms. Users can search for a website login or any other piece of other information stored in their Keeper vault by simply opening the extension and entering their search criteria. The search feature is case insensitive and will match any record within your vault as you type, even partial words. The search results can also be sorted by name and date.

Password Generator

Keeper's password generator is now within easy reach in the extension toolbar landing screen. Users can generate and copy the secure password or use it to create a new record directly from the main screen.

Matching Records

The new "Matching Records" screen will now appear in the extension toolbar window.

Clicking the copy icon next to a record gives you the option to quickly copy the username and password or you can autofill the record by clicking the fill button. If there are many record matches, users can enter search terms to narrow down the results and even sort them by name or date.

Autofill & Auto Submit Setting at the Record-Level

The Autofill and Auto Submit settings can be enabled or disabled for individual records from both the extension toolbar and fill window.

Important Notes:

• This setting will override the global Auto Submit setting.

• If you have multiple records that match the same website, Keeper will not auto-fill and you will be prompted to select the record to fill. When there are multiple matches to a domain, you must click "Fill" to prevent undesirable behavior.

Search for Matching Records by Domain

From the on-page fill window, users can filter on all records matching the current site's domain name. This is helpful for sites with many stored records.

Bug Fixes & Security Updates

• BE-3803: Improved memory management / clearing after logout

• BE-3864: Right click menu to create payment card not working

• BE-3956: Select-all Ctrl+A appended 'a' to end of the string

• BE-3864: Google sign-in screen not prompting to save password

• BE-3914: Stay Logged In sometimes not keeping the user logged in

• BE-3840: Crowdstrike login interferes with icons

Accessibility (508 Compliance)

• Keeper has been making UI changes across all web-applications and browser extensions to comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d). The Keeper browser extension now supports keyboard navigation and it's compatible with popular screen readers and other assistive technology.

Persistent Search Bar

The vault search bar is always visible, and the search logic matches the Web Vault and Desktop App algorithm exactly. Therefore, the same search can be applied in both platforms. Users can search for a website login or any other piece of other information stored in their Keeper vault by simply opening the extension and entering their search criteria. The search feature is case insensitive and will match any record within your vault as you type, even partial words. The search results can also be sorted by name and date.

Password Generator

Keeper's password generator is now within easy reach in the extension toolbar landing screen. Users can generate and copy the secure password or use it to create a new record directly from the main screen.

Matching Records

The new "Matching Records" screen will now appear in the extension toolbar window.

Clicking the copy icon next to a record gives you the option to quickly copy the username and password or you can autofill the record by clicking the fill button. If there are many record matches, users can enter search terms to narrow down the results and even sort them by name or date.

Autofill & Auto Submit Setting at the Record-Level

The Autofill and Auto Submit settings can be enabled or disabled for individual records from both the extension toolbar and fill window.

Important Notes:

• This setting will override the global Auto Submit setting.

• If you have multiple records that match the same website, Keeper will not auto-fill and you will be prompted to select the record to fill. When there are multiple matches to a domain, you must click "Fill" to prevent undesirable behavior.

Search for Matching Records by Domain

From the on-page fill window, users can filter on all records matching the current site's domain name. This is helpful for sites with many stored records.

New Features & Improvements

• Expansion to AU Data Center - Keeper now supports an AU data center. Users have the option to select "AU" from the region selector at login in the KeeperFill toolbar.

Bug Fixes

• Fixed various site-specific autofill issues

Improvements

• BE-3897: Support for HTTP fill enforcement in the Admin Console. Disabling this enforcement removes the HTTP fill warning from the browser extension prompts.

Bug Fixes

• BE-3917: The "Stay logged In" feature fails when a user closes out of their browser. Affected certain SSO Cloud users.

• BE-3909: Custom field matching fails when a record's "Website Address" field is left blank

• BE-3889: Clicking on a row within a list of matching records fails to expand/collapse the row

• BE-3773: The extension's search field should clear upon returning to it when the user begins typing

Improvements

• Multiple: "Stay Logged In" improvements to prevent edge cases where the extension logs out

• BE-3822: Added capability for Browser Extension to perform Vault Transfer acceptance

• BE-3787: Improved the performance of Firefox when Keeper is running

• BE-1873: Improved performance with Dynamics 365

• BE-2008: Improved performance with Microsoft Sharepoint

• BE-2508: Improved performance with Gitbook.com

• BE-2630: Improved performance with eSource

• BE-3506: Additional support for Role Policy enforcements in the KeeperFill section of the Admin Console / Role Policy / Enforcements section.

Bug Fixes

• BE-3820: Improved handling of Web socket disconnections (Syncing is broken until logout/login)

• BE-3815: Back button freezes the extension in certain paths

• BE-3787: Slow performance on Firefox

• BE-3808: If Web Vault access is restricted, don't auto-login the user to the Web Vault.

• BE-3040: Copy of masked custom field / masked note from search results

• BE-3267: Country list with Samoa listed in the wrong location

• BE-3331: Certain letters chopped off in the country name list

• BE-3335: Extension closes the vault after logging in with Yubikey

• BE-3637: Error message appears when trying to login to US data center after having logged into the EU data center with an SSO account.

• BE-3651: Login sequentially to accounts on both US and EU region causes the extension to be confused

Improvements

• BE-3506: Implemented KeeperFill role enforcement policy that enforces all settings/features of the Browser Extension

Bug Fixes

• BE-3637: Error message appears when logging into US SSO after been logged into EU SSO

• BE-3378: Logging into EU SSO Vault fails to simultaneously log user into browser extension

• BE-3335: Extension closes Vault after logging in with Yubikey 2FA

• BE-3113: Character length doesn't update when user clicks on dice icon in record view

• BE-3040: Copying masked note or custom field copies the wrong values

• BE-3020: Password strength indicator doesn't work as expected

• BE-3014: Fill button is not active when user attempts to fill password from browser extension

• BE-3685: Character checkboxes don't function as expected

• BE-3710: Users are unable to save Vault records with v15 extension on Beta Edge on Linux

• BE-3699: Infinite spinner appears after user sets up DUO for US SSO Cloud account

• BE-3389: Denying DUO push doesn't close DUO screen

• BE-3736: Record match doesn't appear at corresponding website when the site's URL is entered in the custom field

• BE-3734: Error message persists after user attempts to save record after filling out the password field

• BE-3738: User experiences infinite loop at dropbox.com/dropins/login

• BE-3794: Custom field matching doesn't work with subdomains

• BE-3811: RSA 2FA method doesn't allow alphanumeric codes

• BE-1873: Chrome browser extension causes errors on Dynamics 365 CRM tool

• BE-3815: User receives an infinite spinner after clicking back button on device approval

Bug Fixes

• BE-3762: Browser Extension fails to load record after being shared

• BE-3758: After logging into the Browser Extension the vault loads in a loop

• BE-3757: Browser Extension is sending login_from_existing_session_token to the wrong region

• BE-3756: EU vault cache is broken

Bug Fixes

• BE-3751: Browser Extension creates sync storms in v15.0.2 production logs

• BE-3756: Browser Extension sends login from_existing_session_token to the wrong region

• BE-3758: Vault loads in a loop when opened in a separate tab

Special Notes

• Keeper now prompts for 2FA **before** Master Password. This is part of our new Login V3 security protocol.

• We have 2 extensions in the store, version 14 and version 15.

  Please ensure that you only have one Keeper browser extension installed. Do not install both v14 and v15 on the same browser or you'll run into issues.

Improvements

• BE-3362: This release includes the addition of a session persistence setting, "Stay Logged In". The purpose of this setting if enabled, allows the user to resume their session based on their "Logout Timer" value, regardless of exiting the application, restarting their computer, etc... This feature can be restricted by the Keeper Admin via Role Policy.

• BE-3680: Support for multiple monitors

• BE-2334: A new event is created to track when a user selects the "copy" button for a password from the record detail screen

• BE-3650: The password generator character limit has increased from 50 to 100 characters

Bug Fixes

• BE-3680: Users with multiple monitors experience visual issues when entering their Master Password and selecting browser extension buttons and switches

• BE-3640: Auto-logout fails to clear old timer setting

• BE-3439: Edit option is not available when email field is pre-filled in login screen

• BE-3375: User receives incorrect error message when the email address field is left empty upon attempted login

• BE-3364: Filling of custom field values fails on special character regex

• BE-3349: Disabling KeeperFill for specific website fails to prevent form filling from extension toolbar

• BE-3347: Device restriction error dialogue offers user incorrect "Forgot Password?" action

• BE-3345: Warning message is missing when an Enterprise user attempts to change timer with a logout timer enforcement policy present

• BE-3337: Create Record form fails to reset after creating and saving a new record in the form filler

• BE-3336: Error message fails to appear when a user leaves the 2FA code field empty upon attempted login

• BE-3626: Expected behavior fixes for various vault and browser extension interactions for "Stay Logged In" setting

• BE-1851: New user unable to dynamically provision via SSO Connect

• BE-3645: Auto-submit fails from search field for various sites

• BE-3658: A user is prompted twice for their Master Password when certain conditions are met

• BE-3659: User is unable to open their vault from browser extension toolbar at first attempt (FirefoxESR)

• BE-3389: DUO push prompt persists after user selects "Deny" button

• BE-3344: DUO accounts fail to send a new code when user selects "Resend Code"

• BE-3669: Empty records, payment cards and addresses appear editable to the user

• BE-3667: A user re-authentication is triggered in attempt to create a new record

• BE-2913: Change password action by user fails to trigger change password event

• BE-3610: Keeper Push acceptance is not reflected in both windows upon SSO Cloud user login

• BE-3676: Keeper Push device approval fails for SSO cloud account that has 2FA (SMS) enabled

Post a Review

Since v15 is a new store listing, we would appreciate if you posted a rating and review.

v15 Installation Note

The Keeper Browser Extension supporting SSO Connect Cloud is available as a new download from the respective app store on Chrome, Firefox and Microsoft Edge.

• New extension v15 is required for SSO Connect Cloud customers

• Both v14 and v15 will be maintained during the first phase of deployment

• Migration from v14 to v15 is planned for November

🖥️ BETA LINK: https://chrome.google.com/webstore/detail/hlkdkmefjphnecdoiaajhndjmkpkhifo?authuser=1&hl=en

Please ensure only one extension is running at a time. Having multiple Keeper extensions will cause conflicts and errors.

Send any issues to feedback@keepersecurity.com

Bug Fixes

• (Multiple Tickets) login scenarios improved for Cloud SSO user authentication in US and EU regions.

• BE-3593: Filling from Search doesn't work

• BE-3577: Add additional protections to prevent auto-submit loops

• BE-3681: Error "This object no longer exists"

• BE-3611: Admin device approval fails for Cloud SSO user with the Account Transfer enforcement policy enabled

• BE-3605: Logging into the Web Vault fails to automatically log user into the browser extension when 2FA is enabled (extension v15)

• BE- 3606: User unable to login with Cloud SSO after switching between accounts

• BE-3603: Upgrading Firefox browser extension from version 14.4.0 to 15.0.0 causes several extension settings to reset

• BE-3601: Autofill fails when "Require Re-Authentication" enforcement policies are enabled

• BE-3604: Duo push doesn't work from first attempt on a new install

• BE-2830: Login on redbox.com

• BE-3618: Login on disneymovieinsiders.com

Improvements

• BE-3677: Right-click menu show more than 5 credit cards

v15 Installation Note

Keeper Browser Extension supporting SSO Connect Cloud is available as a separate install from the respective app store on Chrome, Firefox and Microsoft Edge. Chrome: https://chrome.google.com/webstore/detail/kbedblbpfmeicfpadihimgombbafaeeh?authuser=1&hl=en Edge: https://microsoftedge.microsoft.com/addons/detail/keeper%C2%AE-password-manager-/mpfckamfocjknfipmpjdkkebpnieooca?hl=en-US Firefox: https://addons.mozilla.org/en-US/firefox/addon/keeper-password-manager/

Please note the following:

• New extension v15 is required for SSO Connect Cloud customers

• Do not run v14 and v15 extensions at the same time

• Both v14 and v15 will be maintained during the first phase of deployment

• Migration from v14 to v15 is planned for November

Bug Fixes

• Fixed: The logout timer switch is not defaulting properly when enforced.

• Fixed: User receives "Decryption Error" message when attempting to login with SSO Master Password rather than their enterprise domain.

• Fixed: After user checks "Don't Ask Again" box, prompt to login to the extension still persists after browser restart.

Bug Fixes

• Fixed: If a record's "Website Address" field is empty, no record matches are presented to the user based on domains that are entered in the custom field values.

• Fixed: Following a user's search for a record in the extension toolbar, the "Fill Record" button doesn't work.

• Fixed: Various alignment and design inconsistencies.

Features & Enhancements

New Browser Extension User Interface - This release introduces major improvements to our existing KeeperFill Browser Extension UI. The changes include a complete overhaul of the existing design elements featuring a cleaner, more intuitive user interface. Users can expect increased accessibility to Keeper's tools and features directly from the browser extension, resulting in a streamlined workflow and efficient browser extension usability. In addition to significant visual enhancements, there are a number of noteworthy features that are introduced in this extensive update, including:

Record Creation and Editing

Users now have the ability to create new records and edit existing records directly from the browser extension toolbar.

Autofill Preferences

If there is more than one matching record for a site, users can designate which record Keeper will autofill moving forward or simply opt-out of the autofill feature for that single site entirely.

Filter Record Matches

From a site's login field, users can search within the various matching records to locate and fill the desired login credentials. It is important to note the key factors (in order) that determine record matches:

• A email address match that is present on the login page

• The website subdomain and domain of the Keeper record URL (e.g. xyz.microsoft.com will first match xyz.microsoft.com and second, microsoft.com)

• The website path (e.g. /some/path/to/file)

• When a record was last filled or edited

Simpler Settings

Users can expect simpler, more intuitive navigation of Keeper's dynamic browser extension settings; including the addition of font size adjustability and easier access to the logout timer. The familiar settings users have come to know such as themes, hover locks, auto-submit and match on subdomain still remain within the Settings menu.

Search Bar Improvements

This update presents a larger, more accessible search bar for improved usability as well as a significantly faster search experience.

Record Favorites Accessibility

Users can quickly view and search their record "Favorites" containing the most frequently visited sites directly from the browser extension toolbar.

Bug Fixes

• Fixed: Upon enabling "Match on Subdomain" setting, BASF site continues to match on various subdomains.

Bug Fixes

• Fixed: A communication key is generated when a user attempts to login to their vault from the browser extension.

• Fixed: Browser extension does not offer "Remember for 30 Days" option when only DUO push is available for 2FA method.

• Fixed: Various issues causing site slowdowns.

• Fixed: Email field in the extension login screen fails to clear after user clicks "Add Account".

Features & Enhancements

• Master Password Re-entry Enforcement - This role enforcement allows Admins to further enhance their security policies by requiring users to re-enter their Master Password in order to unmask or copy a password. Once unmasked, the password will be re-masked after 30 seconds have passed.

• Support for Duo Push with SSO Login - Duo Push authentication is now supported for users who login to the Keeper browser extension using SSO.

Bug Fixes

• Fixed: The search function fails to display any results.

• Fixed: The Master Password login prompt appears in the Keeper browser extension after logging in and out the Vault with SSO.

• Fixed: The autofill feature fills both the first name and city fields of an address form with the user's first name.

Features & Benefits

• KeeperFill Browser Extension Role Enforcement Update - Administrators now have the ability to prevent their users from enabling the Auto Submit and Prompt to Fill features in the KeeperFill Browser Extension.

Bug Fixes

• Fixed: TOTP code (Time-based One-time Password) is failing to autofill at first login attempt to Facebook, requiring the user to manually enter the code and enable "Remember Browser" setting.

• Fixed: Both Auto Submit and autofilling of TOTP codes are not working when logging into Snap Chat.

• Fixed: Record favorites from the vault are not appearing in the "Favorites" section of the browser extension.

• Fixed: When logging into their web vault, users are not automatically logged into the browser extension as expected. (Chromium Edge).

• Fixed: Various sites are missing Keeper locks and do not allow the user to fill their credentials using the right-click context menu.

Bug Fixes

• Fixed: Auto submit fails when logging into Instagram when TOTP (time-based one-time password) is enabled.

• Fixed: Infinite loop occurs when autofilling an Instagram record containing an authenticator app's 2FA code (two-factor authentication).

• Fixed: The Firefox browser console is unnecessarily flooded with "Error on Firefox" messages (MacOS)

Bug Fixes

• Fixed: 2FA codes upon submission are not stored properly in memory and instead are saved to custom fields.

• Fixed: "Undefined" appears in the domain field of the extension toolbar following a user logging in and out of an Enterprise domain through the browser extension.

• Fixed: SSO accounts with alternate passwords are presenting decryption errors.

• Fixed: The "Country" field in address records, is defaulting to the United States when left blank in the Web Vault and then accessed through the browser extension (Chrome).

• Fixed: Various website specific autofill issues.

Features & Enhancements

• New Login API - This version introduces move to the new Restless Server API.

Bug Fixes

• Fixed: Enterprise users that have created Generated Password Complexity Rules (by domain) force every domain, including those not listed in the enforcement, to use these rules when creating records.

• Fixed: An issue causing EU SSO redirect to not function as expected.

• Fixed: Users with EU account are unable to login through the browser extension; receive "region_redirect" error message.

• Fixed: Logging into the browser extension does not simultaneously log user into their Vault (Edge).

• Fixed: "Add Account" button in the toolbar extension window redirects users to the registration page rather than the login page.

• Fixed: An issue related to the extension's change password feature at the Salesforce site. The form fields do not appear activated when password feature inputs both password and TOTP entries.

• Fixed: User unable to uncheck "Remember Email" box at login screen.

• Fixed: An infinite spinner appears when user attempts to login with an expired trial account.

Features & Benefits

• Offline Mode The Browser Extension will support full Offline Mode capability to align with the Keeper Web Vault offline mode. Offline mode will be enforced by the Keeper Administrator on Enterprise accounts via role enforcement policies.

Security Updates

• Integration with new Keeper Backend API The Keeper v14 API platform supports an enhanced level of encryption utilizing encrypted Protocol Buffers instead of JSON. The Keeper Web Vault, Desktop App, iOS, Android and Safari extensions have already migrated to the v14 API.

Bug Fixes

• Autofill improvements on a variety of customer-reported sites

• Payment card filling improvements

Release Date

The estimated release date is August 1, 2019.

Features & Benefits

• Forced Reload Updates Vault Version - The extension now identifies when the user's Vault is out-of-date and initiates a hard reload to update it to the latest version.

Bug Fixes:

• Fixed: An infinite spinner appears in Enterprise accounts with an expired master password when user clicks on "Web Vault".

• Fixed: When a user logs into their Vault and installs the extension, the onInstall login to extension does not work.

• Fixed : An issue causing the extension to open two tabs upon use of the "Fill from Vault" button (Firefox and Edge).

Enhancements & Benefits

• Match on Subdomain - This release introduces a new setting that enables the in-page extension to recognize and differentiate a record's subdomain from its domain.

  • Only records that match the subdomain of the page visited will be populated into the in-page extension window upon log in.

  • Alternatively, if no records exist for the subdomain of the page visited but they do for the domain, the in-page extension window will populate all of the existing records containing that domain.

• Keyboard Shortcut to Browser Extension Toolbar + Automatic Search Upon Typing - This feature further streamlines the ability to quickly open the browser extension as well as automate the use of the search bar upon typing, essentially eliminating the need for mouse clicks.

  • Command+Shift+k (for Mac OS) and Alt+k (for Windows) will automatically open the browser extension toolbar.

  • Once the browser extension is open, the user can simply begin typing their search terms using the up and down arrows on their keyboard to easily navigate to the desired record. The highlighted record can then be autofilled by pressing the enter key.

• Launch Button Triggers Automatic Fill and Login - A new enhancement to the "Launch" button within the Vault with one click, automatically takes the user to the site, autofills their credentials, and logs them in a matter of a few seconds.

Bug Fixes

• Fixed dozens of reported website autofill issues

Bug Fixes

• Fixed: Firefox SSO users with 2FA unable to login.

• Fixed: Performance issues when extension is active on complex CRM and Chat applications

• Fixed: Inconsistent issue with sorting matching records within the same subdomain

• Fixed: Extension errors when using Firefox ESR 60.9

• Fixed: Right-click menu can still be used when the domain is restricted by the Enterprise "KeeperFill" enforcement policy.

Bug Fixes

• Fixed: Hover states on the form field icons is inconsistent (hovering in certain areas of the form turn on/off the icon at unexpectedly).

• Fixed: On Firefox, first click to open the toolbar is not working. Must click twice.

This is a feature update, bug fix and security update for the Keeper browser extension on Chrome, Firefox and Edge browsers.

Features & Benefits

• Changed default password generator length to 20 characters

• Improved filling for sites that separate login and password on different screens (Google, IBM Cloud, etc...)

• Improved several sites for two-factor code filling (Amazon AWS, Rackspace, Dropbox, several others)

Bug Fixes

• Fixed: Sites that override iFrame styles (datto.com)

• Fixed: Zendesk.com login

• Fixed: caremark.com

• Fixed: Pasting a Password string into an edited record not functioning consistently

• Fixed: Removed locks appearing on buttons (Okta.com)

Security Updates

• Security Update 1: UI Clickjacking on partially visible form To prevent malicious websites from performing "clickjacking" attacks against the Keeper extension on partially visible forms (specifically the payment card and address info), we have added additional protections. Users are now prompted to confirm their intention to load payment card and address details. The methods used to load information are blocked until such time that the user approves the action. If the user has a login/password saved for the website previously, the user will not be prompted for the additional confirmation.

  Special thanks to the security researcher who submitted the report to Keeper's security team via the Bugcrowd Bug Bounty program.

• Security Update 2: Renderer compromise scenario

  Chrome's "Site Isolation" protects users against attackers who have an ability to compromise renderer process. This means that an attacker who can run arbitrary code inside renderer process can't steal information from other sites. In the remote case that an attacker has successfully compromised the Chrome web browser and defeated the "Site Isolation" capabilities of Chrome, additional protections can be put in place to ensure that the Keeper extension cannot also be compromised by sending arbitrary messages to the Keeper background process. A link to a discussion on this topic can be found here: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/0ei-UCHNm34 Although an attacker would need to first defeat Chrome's site isolation, the Chrome team and a prominent security researcher now recommends that all browser extension developers implement the necessary changes. To resolve this potential issue, Keeper now performs additional message checks to ensure the originator of the message, even in the case of a compromised Chrome browser. Special thanks to the security researcher who submitted the report to Keeper's security team via the Bugcrowd Bug Bounty program. For more information about the Keeper Security Bug Bounty Program or to submit a bug, please visit: https://bugcrowd.com/keepersecurity

Enhancements & Benefits

This release encompasses new two-factor authentication functionality and a feature improvement along with bug fixes. Below you can find the summary of these items and their benefits.

• Two-factor Authentication - This release adds new two-factor authentication functionality to our existing list of capabilities. The new method using TOTP (Time-based One-time Password) adds

  tokens to records which are unique time-based multi-digit codes commonly used by websites and apps for two factor authentication and makes the capability available across the Chrome Web Store, Mozilla Add-ons and Windows Store. TOTP covers the following functionality:

  • Protects Two-Factor Codes in an encrypted vault record

  • Prevents lost access to a Two-Factor Code due to continuous backup

  • Synchronize Two-Factor Codes to multiple devices and computers

  • Sharing of Two-Factor Code among individual users & teams

  • Autofill Two-Factor Codes on most browsers

  • Emergency Access to your vault

  • Account Transfer of a user’s vault with Two-Factor codes to admin when off-boarding

  • Free trial users are restricted to 2 TOTP-enabled records

• Changing a "Password Attach Save" to "Submit Button" - This feature improvement allows for the save password button to be attached to the save button in the confirmation screen as well as the submit button on the change password form of the site. This allows the user to skip the confirmation screen going forward.

Bug Fixes:

• Fix for Autofill issue filling out the UN/Pass on the wrong url

• Fix for an issue which caused password changes to save the 2 FA to be saved as a custom field

• Fix for clickjacking vulnerability

• A multitude of record "lock" issues

• Adding auto-submit restrictions from vault

• A fix for a bug which caused custom field changes to not be published on incremental syncs

Bug Fixes

• Some sites are slow to Auto-fill from extension toolbar

• Fixed Autofill on the following sites:

  • Gitlab.com

  • Proofpoint

  • Kickstarter

  • 4inkjets

  • Food Network

  • 53.com

  • unitedplanners.com

  • jackson.com

  • BofA

  • spservicing.com

  • synxis.com

  • pandora.com

  • tractorbynet.com

This is a bug fix release to address several site-specific Autofill issues. Chrome, Firefox and Edge browsers have been released. Safari will release with the next Desktop application update.

• KeeperFill was removing some form elements of certain sites. The reason this was happening is because certain websites liked to inject an "eyeball" element to allow users to see the password that they were typing in. We attempted to control this by removing the feature of the target website, but unfortunately it caused issues with certain sites. This has been reverted and we have addressed the issue.

• Resolved performance issues that affected the BlackBoard university systems.

• Improved Fill issues on dozens of reported websites

• Created Backend support for upcoming TOTP field types release

Background

‌This update addresses a potential security vulnerability on the Keeper Browser Extension version 12.4.0. Within three hours of receiving the security researcher’s vulnerability report, Keeper Security’s development and security team released a new version of the Keeper Browser Extension to eliminate the risk associated with the reported vulnerability. The version number for Chrome and Firefox is 12.4.1. Version 12.4.0 has been blocked and is no longer available for use. Version 12.4.1 is now live on Chrome and Firefox app stores.

For the exploit to be realized, a sequence of conditions would be required which in turn, would impact the Keeper Browser Extension. No customer reported being affected by this issue.

Special thanks to Jun Kokatsu for the discovery and documentation of this issue.

Reporting Sequence

The security researcher’s findings were reported via Keeper's Bugcrowd Public Vulnerability Disclosure Program today, marked on July 20, 2019 at 3:50AM PST. Discussions between Keeper’s Security Team and the security researcher occurred within three hours of receiving the researcher’s report. The issues disclosed in the report were accepted, validated and submitted for publication to the app stores, within five hours of receipt.‌

Summarized Findings in the Security Researcher’s Report

The security researcher reported that a user’s stored data could be read by a malicious website utilizing a cross-site scripting attack against the browser extension code. ‌

Keeper’s Security Team’s Response

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

1. The user must visit a malicious website using version 12.4.0 of the Keeper Browser extension released between July 19, 2019 at 7PM PST and July 20, 2019 9:35AM PST on Chrome or Firefox.

2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

3. The malicious website would then request the password and associated data stored for the size xyz.com upon visiting the malicious website.

How to Update

‌The Keeper Browser Extension will auto-update from Chrome Web Store and Firefox Add-ons. The old extension version 12.4.0 which was released approximately 12 hours earlier has been disabled.

We appreciate the detailed report, reproduction steps and supporting documentation provided by the security researcher, Jun Kokatsu.

All security and vulnerability reports are managed and submitted to Keeper's Bugcrowd Public Vulnerability Disclosure program at:

https://bugcrowd.com/keepersecurity

This is a major feature and bug fix release for the Chrome, Firefox, Edge and Safari browser extensions. This release has been published on Chrome and Firefox as of July 19, 2019. Microsoft Edge and Safari will be live as soon as they are approved by the App Store, ETA July 21, 2019.

Features & Benefits

• Only show Lock Icon on Login and Registration Forms Feedback from customers is that the "Lock Icon" is showing on too many fields in websites and applications. With this update, the lock icons will only show on Login and Registration form fields. If accessing the extension is required on a field in which Keeper is not showing the lock, you can simply use the new right-click menu.

• Location of Popups Based on customer feedback, we have moved the "Prompt to Save", "Prompt to Fill", "Prompt to Change" and "Prompt to Login" dialogs to the top right section of the web browser window, instead of obstructing the view over the login form. You can customize the location and animation that is used when displaying the popup screens. Visit the Settings -> Prompt Appearance screen.

• Right-Click Menu You can now access many different and useful filling functions from the new Right-Click Menu. Fill logins, payment cards, addresses, and create new passwords with just one click.

• Credit Card and Identity Info can now be filled on sites without the restriction of requiring a password stored for that site.

Bug Fixes

• Autofill issues on several reported sites

• Locks appearing in non-login forms

• Improvements to the Admin Console enforcement policy to disable KeeperFill on specific sites/domains

• Improved checks to prevent ability to fill a password into a non-password field

• Record moved into a shared folder not recognized by extension until logout/login

• Creating new address or payment record not appearing immediately

Security Updates to Keeper Browser Extension

Background

‌This update addresses two reported potential security vulnerabilities affecting websites that have installed an IFrame from a malicious source. For the exploit to be realized, a sequence of conditions would be required which in turn, would impact the Keeper Browser Extension. No customer has reported being affected by this issue. Despite the fact that this is an extremely rare and improbable situation, Keeper takes all reported bugs seriously.

Within five hours of receiving the security researcher’s vulnerability report, Keeper Security’s development and security team released a new version of the Keeper Browser Extension to eliminate the risk associated with the reported vulnerabilities. The Keeper Browser Extension has been submitted to the app stores for publication. The version number for Chrome, Firefox and Edge is 12.3.7. The Safari version is 14.0.4.

Special thanks to Alesandro Ortiz for the discovery and documentation of this issue.

Reporting Sequence

The security researcher’s findings were reported via Keeper's Bugcrowd Public Vulnerability Disclosure Program today, marked on July 12, 2019 at 2:51 PM PST and 2:53PM PST. Discussions between Keeper’s Security Team and the security researcher occurred within one hour of receiving the researcher’s report. The issues disclosed in the report were accepted, validated and submitted for publication to the app stores, within five hours of receipt.

Summarized Findings in the Security Researcher’s Report

1. Autofill in a sandboxed, untrusted, malicious IFrame

The security researcher reported that a user’s website login credentials could potentially be autofilled into a website containing a malicious sandboxed IFrame to capture the user’s login credentials for that specific site.

Keeper’s Security Team’s Response:

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

1. The website owner / developer (e.g. xyz.com) must explicitly embed a malicious iFrame into their website’s HTML served from the same origin or another domain origin with "sandbox" property set that contains a login form.

2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

3. The Keeper user would need to visit the subject website, xyz.com.

4. The Keeper user would need to enable Autofill for the subject website, xyz.com, if prompted by the user's Keeper software. If the user previously clicked "Yes" on the Autofill prompt for site xyz.com, the user would not be prompted again.

5. Keeper then fills the password for the saved xyz.com site into the malicious iFrame which contains the sandbox property.

2. Autofill in untrusted malicious IFrame from different domain

The security researcher reported that a user’s website login credentials could potentially be autofilled into a website containing a malicious IFrame, served from a different domain, to capture the user’s login credentials for that specific site.

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

1. The website owner / developer (e.g. xyz.com) must explicitly embed a malicious IFrame into their website's HTML served from an untrusted origin (e.g. somesite.com) that contains a login form, or the website owner has embedded a 3rd party library from an untrusted origin which injects a malicious IFrame.

2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

3. The Keeper user would need to visit the subject website, xyz.com.

4. The Keeper user would need to enable Autofill for the subject website, xyz.com, if prompted by the user's Keeper software. If the user previously clicked "Yes" on the Autofill prompt for site xyz.com, the user would not be prompted again.

5. Keeper then fills the password for the saved xyz.com site into the malicious IFrame served from a different domain.

It would be extremely unlikely and unusual for a website owner to purposely inject an untrusted IFrame into their page source from a different origin. Despite this, Keeper Security’s development team made the security improvements to its browser extension to prevent an autofill operation under the two reported scenarios.

How to Update

‌The Keeper Browser Extension will auto-update from each respective app store (i.e. Mac Store, Chrome Web Store, Firefox Add-ons and Microsoft Edge Store).

We appreciate the detailed report, reproduction steps and supporting documentation provided by the security researcher, Alesandro Ortiz. If you have any questions regarding this update please email security@keepersecurity.com. Alesandro's website is https://AlesandroOrtiz.com.

All security and vulnerability reports are managed and submitted to Keeper's Bugcrowd Public Vulnerability Disclosure program at:

https://bugcrowd.com/keepersecurity

Features & Benefits

• New Keeper logo applied

Bug Fixes

• Resolved issue with a Keeper lock icon showing duplicated in certain website form fields

Features & Benefits

• When creating a new account on a website, we made an improvement to simplify the user flow if the username or password is rejected at the target site.

Bug Fixes

• ADFS SSO Login improvements

• Don't Ask Again prompt not behaving to user expectation

• Ability to edit a password without unmasking

• Other site-specific issues

Enhancements & Benefits

• Subdomain matching and sorting ​improvements. The sorting of records offered by the KeeperFill on-page login screen will prioritize the subdomain first, followed by the root domain matches. Within each subdomain, the results are sorted by date of last login.

• Custom Field matching on website label form field is improved

• Account Switching feature implemented for faster selection of previously used accounts

• Support for upcoming Password Complexity role enforcement policy on Admin Console

• Support Website Address matching on any custom field values

Bug Fixes

• "Do not ask again" is not turning off Prompt to Login

• Change Password "Yes" button on Firefox not working

• KeeperFill not prompting immediately upon login

• Firefox timing related bug fixes

• Firefox issue with various websites reported by customers

• Improved login to ConnectWise applications

• Locks showing on some Date Pickers

• Autofill not working for some Russian sites

• Locks not showing on staples.com

• Ignore email sign-up forms

• Fix login for schwab.com

• Fix auto-filling of multiple fields on registration forms

• Turn off the Browser Extension on the Keeper Admin Console screen

Known Limitations (Mac/Safari Users Only)

• Apple has implemented a major architecture change in Mac OS Mojave and Safari 12 in regards to browser extensions. In the past, the KeeperFill browser extension for Safari has shared a common development platform with Chrome, Firefox, Opera and Edge browsers. Apple now requires developers to publish browser extensions in the Mac App Store using a platform that is unique to the Mac OS ecosystem. We are currently creating a new version of KeeperFill for Safari 12 and Mojave that complies with our strict security requirements. We plan to publish the new Keeper Safari 12 soon. If you haven't updated to Mojave yet, we recommend waiting until the new KeeperFill extension is released. If you have already updated and are no longer able to use KeeperFill, you may use KeeperFill on Chrome, Firefox or Opera browsers until our new Safari extension is published.

Coming Soon

• ​Browser Extension Release 14.0.0 adds support for the Mac App Store

Note: Safari extensions are not available for update until version 14.0.0 which is deployed via the new Mac App Store.

Enhancements & Benefits

• ​Improved overall user flow for performing "Change Password" on a website

• Over 50 site-related bug fixes

• Full support for Admin Console v13.1 role enforcement policies

• Added "Prompt to Disable" feature

• Show On/Off indicator on the status of each prompting feature

• Hiding custom fields when masking is enabled

Known Limitations (Mac/Safari Users Only)

• Apple has implemented a major architecture change in Mac OS Mojave and Safari 12 in regards to browser extensions. In the past, the KeeperFill browser extension for Safari has shared a common development platform with Chrome, Firefox, Opera and Edge browsers. Apple now requires developers to publish browser extensions in the Mac App Store using a platform that is unique to the Mac OS ecosystem. We are currently creating a new version of KeeperFill for Safari 12 and Mojave that complies with our strict security requirements. We plan to publish the new Keeper Safari 12 extension this month. If you haven't updated to Mojave yet, we recommend waiting until the new KeeperFill extension is released. If you have already updated and are no longer able to use KeeperFill, you may use KeeperFill on Chrome, Firefox or Opera browsers until our new Safari extension is published.

Bug Fixes

• Sites with many input fields freeze the Edge browser

• French website fixes with AutoFill

• Duo Security issues in Edge browser

• Custom field filling in subsequent pages

• Amazon credit card filling

Coming Soon

• ​Browser Extension Release 12.3.1 adds support for improved subdomain filtering

Enhancements & Benefits

• ​Over 40 bug fixes

• Select and fill proper record when launching from desktop or web vault

• Mask passwords in Edit/New mode

• Additional "equivalent domains" added

• Localization / translation fixes

• Enabled KeeperFill within the Keeper Admin Console

Known Limitations

• ​Full support for v13.1 Admin Console role enforcements are not completed.

Bug Fixes

• Firefox BE is auto logging user after 5 minutes

• Intralinks site prompts wrong message

• Adding a char to notes and deleting it makes prompt freeze

• Last record used not being saved for subdomain

• Create a new record after editing a record doesn't generate new password

• ​Prompt to Save leaves behind artifact on the screen

• Cannot Save Address Edits

• Can't create a new record if there's an existing record with the "disable edit" enforcement

• Stripe payment widget not working with KeeperFill

• Payment fill and new account registration fill on Shopify sites

• Amazon.com loops at logout with auto submit

• YubiKey issues

• Missing Translations (Addresses, Set to Default)

• UATP credit card type not being validated

• Icon in the Windows store is missing

• Google Sheets lock appears in input for conditional formatting

• Paypal doesn't bring up prompt only in Safari browser

• Autosubmit Not Working on United.com

• Digital River e-commerce checkout page doesn't fill credit card

• myclientline.net login form

• CVC eyeball toggle not working

• Password Strength Bar Not Showing Color

• Check and X buttons for edit mode do not disappear after edit restriction error message

• Twitter change password not working

• Adobe account payment screen

• Payment card doesn't work on Calendly.com

• Credit card filling on Pagerduty.com

• Credit card filling on Github.com

• Credit card fill doesn't work on JIRA

• Credit card filling on Monitis.com

• Indeed.com credit card filling doesn't work

• Restore Default Settings doesn't default logout timer

• Save new password for an existing record does not open vault to view

• Southwest.com Payment Fill

• GitHub password reset not filling both fields

• Console Popup issue

Coming Soon

• ​Browser Extension Release 12.3.0 contains a new user experience for "Change Password" flows to address all non-standard websites. In addition, we are completing all role enforcement policy changes for v13.1.0 Admin Console requirements.

Bug Fixes

• BE-4005: The extension does not accept non-ascii character for a user's Master Password

• BE-4001: The extension's prompt to update a password also updates the record's existing URL with a different subdomain