Browser Extension Version 12.3.7

Released on July 12, 2019

Security Updates to Keeper Browser Extension

Background

‌This update addresses two reported potential security vulnerabilities affecting websites that have installed an IFrame from a malicious source. For the exploit to be realized, a sequence of conditions would be required which in turn, would impact the Keeper Browser Extension. No customer has reported being affected by this issue. Despite the fact that this is an extremely rare and improbable situation, Keeper takes all reported bugs seriously.

Within five hours of receiving the security researcher’s vulnerability report, Keeper Security’s development and security team released a new version of the Keeper Browser Extension to eliminate the risk associated with the reported vulnerabilities. The Keeper Browser Extension has been submitted to the app stores for publication. The version number for Chrome, Firefox and Edge is 12.3.7. The Safari version is 14.0.4.

Special thanks to Alesandro Ortiz for the discovery and documentation of this issue.

Reporting Sequence

The security researcher’s findings were reported via Keeper's Bugcrowd Public Vulnerability Disclosure Program today, marked on July 12, 2019 at 2:51 PM PST and 2:53PM PST. Discussions between Keeper’s Security Team and the security researcher occurred within one hour of receiving the researcher’s report. The issues disclosed in the report were accepted, validated and submitted for publication to the app stores, within five hours of receipt.

Summarized Findings in the Security Researcher’s Report

1. Autofill in a sandboxed, untrusted, malicious IFrame

The security researcher reported that a user’s website login credentials could potentially be autofilled into a website containing a malicious sandboxed IFrame to capture the user’s login credentials for that specific site.

Keeper’s Security Team’s Response:

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

  1. The website owner / developer (e.g. xyz.com) must explicitly embed a malicious iFrame into their website’s HTML served from the same origin or another domain origin with "sandbox" property set that contains a login form.

  2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

  3. The Keeper user would need to visit the subject website, xyz.com.

  4. The Keeper user would need to enable Autofill for the subject website, xyz.com, if prompted by the user's Keeper software. If the user previously clicked "Yes" on the Autofill prompt for site xyz.com, the user would not be prompted again.

  5. Keeper then fills the password for the saved xyz.com site into the malicious iFrame which contains the sandbox property.

2. Autofill in untrusted malicious IFrame from different domain

The security researcher reported that a user’s website login credentials could potentially be autofilled into a website containing a malicious IFrame, served from a different domain, to capture the user’s login credentials for that specific site.

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

  1. The website owner / developer (e.g. xyz.com) must explicitly embed a malicious IFrame into their website's HTML served from an untrusted origin (e.g. somesite.com) that contains a login form, or the website owner has embedded a 3rd party library from an untrusted origin which injects a malicious IFrame.

  2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

  3. The Keeper user would need to visit the subject website, xyz.com.

  4. The Keeper user would need to enable Autofill for the subject website, xyz.com, if prompted by the user's Keeper software. If the user previously clicked "Yes" on the Autofill prompt for site xyz.com, the user would not be prompted again.

  5. Keeper then fills the password for the saved xyz.com site into the malicious IFrame served from a different domain.

It would be extremely unlikely and unusual for a website owner to purposely inject an untrusted IFrame into their page source from a different origin. Despite this, Keeper Security’s development team made the security improvements to its browser extension to prevent an autofill operation under the two reported scenarios.

How to Update

‌The Keeper Browser Extension will auto-update from each respective app store (i.e. Mac Store, Chrome Web Store, Firefox Add-ons and Microsoft Edge Store).

We appreciate the detailed report, reproduction steps and supporting documentation provided by the security researcher, Alesandro Ortiz. If you have any questions regarding this update please email security@keepersecurity.com. Alesandro's website is https://AlesandroOrtiz.com.

All security and vulnerability reports are managed and submitted to Keeper's Bugcrowd Public Vulnerability Disclosure program at:

https://bugcrowd.com/keepersecurity