Response to the University of York’s Research Report Titled “Revisiting Security Vulnerabilities in Commercial Password Managers”

Response to the University of York’s Research Report Titled “Revisiting Security Vulnerabilities in Commercial Password Managers”

Two researchers recently published an article on vulnerabilities of password managers. This blog post clarifies and formally responds to the points raised in the research report:

  1. While this report was released on March 16, 2020, the version of Keeper tested from the original study was Chrome Extension Version 10.8.1 and Android version 10.7.0 from December 2017. Therefore the original research report references versions that are over 2 years old and have since been subject to several security updates and improved features, as further disclosed in this formal response.

    The Keeper Browser extension is currently version 14.0.4. Since version 10.8.1, Keeper Security has released 76 updates to its Chrome extension. Android is currently running version 14.5.31. Since version 10.7.0, Keeper Security has released 85 updates to the Android application.

  2. Upon receipt of the vulnerabilities as referenced in the report (from 2017), Keeper Security immediately processed and addressed all reported critical, high and medium-priority issues within 24 hours of receipt. All low priority “improvement” issues were resolved in subsequent releases of each specific platform. Details are listed below:

    A) “URL Mismatch.” Keeper performs strict matching of the root domain prior to filling a password on any target website. All URL Mismatch bugs submitted to Keeper were filed and fixed within 24 hours of submission.

    B) “HTTP(S) Autofill.”. Keeper requires the user to confirm any filling operation over a matching HTTP website domain by using the browser’s native confirmation method referenced here. This improvement was published in version 12.6.0.

    C) “Ignoring Subdomains.” By default, Keeper only allows filling within a matching fully qualified root domain. For example, a user with a record having the URL of “login.amazon.com” can fill a password into “amazon.com”. Users may now choose to enforce subdomain matching by visiting the Keeper browser extension Settings > “Match on Subdomain” feature. This improvement was published in version 12.6.0.

    D) “Element Inspection.” Keeper’s team-based “view restriction” feature (available only to business users) is fully documented (https://docs.keeper.io/enterprise-guide/teams) in regards to the nature of “masking”. Masked passwords do not restrict a user from access to the underlying shared password and this is not designed as a form of access control.

  3. In the “new vulnerabilities” section of the report, two new potential issues were raised. One of the issues (brute force) is invalid because the researchers did not test it adequately and the other issue (Clipboard) was already addressed. Keeper Security’s response to the researcher’s issues are addressed below:

    A) “Brute Force Attack on Master Password.” This issue is invalid because Keeper prevents the brute force attack of a user’s master password by throttling and locking the user’s account after 20 failed login attempts. The researcher’s testing was not tested consistently with Keeper’s security policy and lock-out threshold noting that they stopped their testing at 10 failed login attempts. Notwithstanding this, December 2019, Keeper reduced the number of failed attempts threshold to 10.

    B) “Clipboard (ext).” The researchers suggested that “password managers do not provide enough protection surrounding copying sensitive items to the clipboard” when Autofill is not available on a particular site or service.

    Keeper allows the user, at its discretion, to Copy and Paste information from the vault into a target application. This feature is optional. Keeper provides integrated secure alternatives to using Copy/Paste functionality. This includes Keeper’s proprietary Browser Extension KeeperFill®, iOS KeeperFill®, Android KeeperFill® and Desktop-based KeeperFill® for Apps available for Mac and Windows. These features are integrated into the application and provide secure auto-filling of information without using the system clipboard.

    The researchers noted that Keeper provides users with a feature to automatically clear the clipboard on iOS. Keeper also offers this capability on Desktop App, iOS and Android to automatically clear the clipboard contents within a specific amount of time.

Keeper Security works with Bugcrowd, a third-party vulnerability reporting and management platform, to coordinate reports with security researchers and members of the InfoSec community. Keeper Security also maintains a public vulnerability disclosure program and private bug bounty program with Bugcrowd (https://bugrowd.com/keepersecurity).

If you have any questions about Keeper’s proprietary Zero-Knowledge Security Architecture, please email us at security@keepersecurity.com or visit our security disclosure page.