This update addresses a potential security vulnerability on the Android application related to installation of a malicious 3rd party Android application. For the exploit to be realized, a sequence of conditions would be required which in turn, would impact the Keeper Android application. No customer reported being affected by this issue.
The security researcher’s findings were reported via Keeper's Bugcrowd Public Vulnerability Disclosure Program on May 18, 2019. The issue disclosed in the report was accepted and validated on May 20, 2019. The fixes were completed and submitted for publication to the Google Play app store on June 21, 2019 in version 14.3.0.
Summarized Findings in the Security Researcher’s Report
A rogue 3rd party malicious application installed on the user's device could monitor events on the Keeper application and wait for certain conditions to capture a user's record login and password, when the user uses the "Copy to clipboard" feature. The researcher pointed out that while Keeper had FLAG_SECURE enabled at the application level, this flag must be enabled on all app fragments to address this potential vulnerability.
Keeper’s Security Team’s Response
In order for this potential vulnerability to result in an exploit of the user’s password for a website, the following conditions would need to exist:
1. User installs malicious 3rd party Android application
2. User opens Keeper app and opens password record
3. User taps on "eyeball" to display the plain text password
4. User taps on password field to copy to clipboard
Result: The "Toast" message containing the password could be read by the malicious application.
Added FLAG_SECURE to all app fragments to prevent 3rd party malicious application from monitoring clipboard events when the user taps "eyeball" to show password and taps password field to copy to clipboard.
Special thanks to phosphoreBugcrowd researcher for the detailed report and validation of the fix.
Bug Fixes & Improvements
Removed KitKat support
Improved user account switching between KeeperChat and Keeper
Crash when clicking "Protect your business" promotion