A vulnerability was discovered in LastPass (not Keeper) where an attacker can clickjack their extension by loading records into the embedded iframe (which loads those records into a cache) and appending the iframe into another website with a different domain. This will result in the cached records being exposed on a malicious website under a different domain than the cached record’s original domain.
To read more about this LastPass vulnerability click here,
Keeper is NOT vulnerable to this attack.
This attack is only applicable if the iframe is programmed to populate the password information inside the iframe when it is “appended” to the page, since the iframe has no reference to the url on the top window to check if those records should be populated.
The Keeper Security browser extension protects against this attack vector in two ways:
1. Keeper does not populate the embedded iframe when it appends itself to the page. Instead, we populate the iframe content in a callback of a function that opens the iframe. This method provides additional checks against the iframe domain.
2. Keeper does not cache the last searched records. Every time we populate the extension window contents, we perform the same call (check domain, sort, populate).
Keeper’s browser extension and security team have verified that this LastPass vulnerability does not affect our product or users.
If you have any questions, please contact our security team at firstname.lastname@example.org. To submit a bug report, please use Keeper’s public vulnerability disclosure program at:
Thank you for staying protected with Keeper!