Modernizing Authentication — What It Takes to Transform Secure Access
It's the email no security company really wants to get - a message from Google Project Zero security researcher Tavis Ormandy about a new vulnerability.
In the case of Keeper Security, which received such a message on Dec. 14, rather than drag out the issue, the company responded quickly to Ormandy and delivered a patch to users within 24 hours. Ormandy first reported the security issues, identified as, "privileged UI injection into pages" issue to Keeper on Dec 14. As it turns out though, this was the second time that Ormandy filed a bug on the same issue with Keeper.
"I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," Ormandy wrote in a bug report. "I checked and, they're doing the same thing again with this version."
The first time Ormandy informed Keeper Security of the privileged UI injection into pages" issue was in August 2016. At that time, Ormandy explained how the flaw could simply enable an attacker to steal passwords from Keeper users.
"This is a complete compromise of Keeper security, allowing any website to steal any password," Ormandy wrote in his new advisory.
The flaw is specifically in the Keeper browser extension which is available for the Edge, Chrome and Firefox web browsers.
"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension," Keeper wrote in its advisory.
Google Project Zero has a 90-day disclosure policy, which is intended to give organization enough time to path issues, before they are publicly revealed. Keeper didn't need the full 90-days and fixed the issue in 24 hours.
What Should Users Do?
The Keeper browser extension has already been automatically updated for impacted users. Beyond updating there are several best practices that users should consider.
"Assume that everything is hackable," Jeff Bohren, Chief Software Engineer at Optimal IdM suggests.
Bohren added that all things considered, password managers can generally be considered considered safe. Boren recommends that users look for a password manager that is cloud-based and stores passwords in a vault in an encrypted form.
Additionally using two-factor authentication alongside a password manager is a good idea.
"2FA does a good job of allowing only individual account owners access to their login credentials," Bohren said. "If hackers do succeed in guessing a password, they must still breach additional authentication steps before they can reach important data."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.