Google Project Zero researcher Tavis Ormandy recently discovered that the Keeper password manager had been affected by a critical flaw similar to one he identified just over one year ago in the same application.
Ormandy found the security hole after noticing that Keeper is now installed by default in Windows 10. He remembered a vulnerability he reported last year and managed to reproduce the same attack with only a few minor modifications.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” the researcher said. “I checked and, they’re doing the same thing again with this version.”
The vulnerability affects the Keeper browser extensions, which, unless users opt out, are installed alongside the Keeper desktop application. The security hole allows attackers to steal passwords stored by the app if they can convince an authenticated user to access a specially crafted website.
Keeper released a patch within 24 hours of being notified by Ormandy. The fix has been rolled out with version 11.4.4 and it has already been delivered to Edge, Chrome and Firefox users via the browsers’ automatic extension update process. Safari users will need to manually update the extension.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper said in a blog post informing customers of the vulnerability and the patch.
The company said there had been no evidence of exploitation in the wild, and pointed out that the mobile and desktop apps were not affected by the flaw.
Ormandy has made available a proof-of-concept (PoC) exploit that steals a user’s Twitter password from Keeper.