Vault Version 14.9.4

Features & Benefits

• Support for 2FA using Duo + Yubikey hardware security keys in OTP mode. When presented with Duo authentication, simply tap the Yubikey device and the OTP code is verified by the Duo Auth API integration.

• Improved the search algorithm of KeeperFill for Apps to mirror the search results of the Keeper Desktop main screen. This includes finding records stored within shared folders as well as custom fields.

• Upgraded the electron framework from 6.0.7 to 6.0.11.

• Upgraded the Keeper Safari Extension version to mirror the latest features and enhancements of KeeperFill Browser Extension v12.5.8.

• Enhanced the Import/Export capabilities to include stored Two-Factor Codes.

• Added color codes at the record level inside "Grid View".

• After auto-logout, user can tap on Touch ID in touch bar to activate biometric login.

• In the Folder View, you can now click on the chevron icon to expand/collapse the folder without selecting the folder.

Bug Fixes

• Fixed: When IP allowlisting on a role is enabled, logging into Keeper Desktop gets a dialog that has "Work Offline" as an option, but this does not work.

  If offline mode is allowed, the user should be able to work offline if IP is blocked.

• Fixed: Small UI and visual alignments.

• Fixed: When using KeeperFill for Apps over a remote connection (e.g. Remote Desktop or other remote access tools), the password injection sometimes sends the wrong character codes.

• Fixed: Push notifications received while editing a record cancel the operation.

• Fixed: Some competitor imports are not mapping every field.

• Fixed: Shared folder names are not included in PDF export feature.

• Fixed: Account recovery fails with confusing error message when the user is attempting the recovery within the wrong data center login domain.

Security Updates

• Resolved: A potential cross-site scripting exploit was found by Adam Roberts of NCC Group in one of the Keeper Desktop application popups related to the security certificate warning when connecting to a network proxy. The popup message on the Keeper Desktop application included information from the signed certificate to the user via the proxy. An iFrame in the certificate warning pulled information from the network proxy which could contain injected content. Although Keeper's Content-Security-Policy disallows inline scripts from executing, Adam pointed out that an iFrame can open a local asset and potentially be a source of vulnerability. In order to exploit this, a user would need to first download a file to their local desktop and then connect to a network proxy which injected content via the certificate content. To prevent this from becoming a vulnerability, we now disallow iFrames via the Content-Security-Policy. Special thanks to Adam Roberts of NCC Group for reporting this bug.