Browser Extension Version 12.4.1

Security Update to Keeper Browser Extension published on July 20, 2019.

Background

‌This update addresses a potential security vulnerability on the Keeper Browser Extension version 12.4.0. Within three hours of receiving the security researcher’s vulnerability report, Keeper Security’s development and security team released a new version of the Keeper Browser Extension to eliminate the risk associated with the reported vulnerability. The version number for Chrome and Firefox is 12.4.1. Version 12.4.0 has been blocked and is no longer available for use. Version 12.4.1 is now live on Chrome and Firefox app stores.

For the exploit to be realized, a sequence of conditions would be required which in turn, would impact the Keeper Browser Extension. No customer reported being affected by this issue.

Special thanks to Jun Kokatsu for the discovery and documentation of this issue.

Reporting Sequence

The security researcher’s findings were reported via Keeper's Bugcrowd Public Vulnerability Disclosure Program today, marked on July 20, 2019 at 3:50AM PST. Discussions between Keeper’s Security Team and the security researcher occurred within three hours of receiving the researcher’s report. The issues disclosed in the report were accepted, validated and submitted for publication to the app stores, within five hours of receipt.‌

Summarized Findings in the Security Researcher’s Report

The security researcher reported that a user’s stored data could be read by a malicious website utilizing a cross-site scripting attack against the browser extension code. ‌

Keeper’s Security Team’s Response

In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:

  1. The user must visit a malicious website using version 12.4.0 of the Keeper Browser extension released between July 19, 2019 at 7PM PST and July 20, 2019 9:35AM PST on Chrome or Firefox.

  2. The Keeper user would require a password stored in their Keeper Vault for xyz.com.

  3. The malicious website would then request the password and associated data stored for the size xyz.com upon visiting the malicious website.

How to Update

‌The Keeper Browser Extension will auto-update from Chrome Web Store and Firefox Add-ons. The old extension version 12.4.0 which was released approximately 12 hours earlier has been disabled.

We appreciate the detailed report, reproduction steps and supporting documentation provided by the security researcher, Jun Kokatsu.

All security and vulnerability reports are managed and submitted to Keeper's Bugcrowd Public Vulnerability Disclosure program at:

https://bugcrowd.com/keepersecurity