Written by
Craig Lurey
Keeper Security’s dedication to protecting user data permeates everything we do. Keeper® holds the longest standing SOC 2 and ISO 27001 certifications in the industry. Keeper is GDPR compliant, CCPA compliant, as well as FedRAMP and StateRAMP Authorized. Our commitment to securing our customers’ data is why Keeper has proactive safeguards in place to protect our customers against automatically filling credentials into untrusted applications or websites.
A recent report from a security researcher raised concerns about an Android vulnerability called AutoSpill that could potentially allow a password manager to fill credentials into an untrusted application. Keeper works in close collaboration with the security research community via our bug bounty and Vulnerability Disclosure Program (VDP) managed by Bugcrowd. Through this program, Keeper works with good-faith hackers to identify and resolve any issues within our cybersecurity solutions and help improve the collective cybersecurity of the industry as a whole.
Keeper initially received a report from the researcher on May 31, 2022 and requested a video to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application, and subsequently, accepted the prompted warning by Keeper to force the association of the malicious application to a password record. Keeper’s built-in safeguards protect against this type of scenario. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information.
A screenshot demonstrating Keeper’s protection against the scenario, as outlined above, can be seen below:
The association of a Keeper record to a malicious application could only happen if the user overrode important security settings on their device to sideload a malicious application or downloaded a dangerous app outside of the official App Store. Subsequently, the user would need to explicitly authorize the association of the Keeper record with the malicious application to autofill the approved credentials. On June 29, 2022, we informed the researcher of Keeper’s software security protections, and additionally, recommended he submit his report to Google since his concerns specifically related to Android’s WebView component.
There are simple best practices that users of any password manager, including Keeper, should always follow to protect themselves:
Keeper provides a plethora of educational resources to help everyone improve their cybersecurity protection and follow best practices. We always recommend being both cautious and vigilant about the applications you install.
Learn more about how to keep your smartphone safe.
You May Also Like
The modern threat landscape is constantly changing and the software supply chain has become a common target for cybercriminals. Cyber threats have become a headache for overworked developers and DevOps teams as they face tight deadlines,...
Choose Language