by Craig Lurey, CTO at Keeper Security, Inc. – August 26, 2016
Keeper holds the security of our customers and their data as our highest priority. To mitigate the possibility of an online clickjacking attack during a browser session, we have updated our Keeper Browser extension. We have made two security enhancements based on the analysis provided by Tavis Ormandy, a highly-respected security analyst at Google.
Yesterday, we received a report regarding this potential security risk. It related to a security threat that could potentially be exploited by a clickjacking attack using an on-page feature of the browser extension. In this scenario, a malicious website with intent to attack the extension could entice a user to click on the Keeper lock icon and take advantage of our “Search” feature with the goal of attempting to extract a credential from the vault.
We immediately addressed and resolved this potential vulnerability by removing the “Search” and “Add to Existing Record” features from the on-page browser extension user interface as seen below:
Removing the Search feature
Removing the “Add to Existing Record” feature
This change has been published on the Chrome, Firefox, Safari and IE extension and will automatically update for all users.
If you have any questions about this extension update, please contact firstname.lastname@example.org.