On Dec 8 2017, Keeper released a major new browser extension update (Version 11.3) that introduced several new features and improvements to the user experience, including improved form filling and automation features.
On Dec 14 2017, Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update. This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a malicious code injection technique to execute privileged code within the browser extension.
On Dec 15, 2017 (within 24 hours), we resolved this issue by removing the “Add to Existing” UI flow and have taken additional steps to prevent this potential vulnerability from occurring in the future. Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously. The security and protection of customer information and data is our top priority at Keeper.
From the time we were notified of this issue, we resolved it and issued an automatic browser extension update to our customers within 24 hours (Dec 15, 2017).
All customers running Keeper’s browser extension on Edge, Chrome, Firefox and Safari have already received Version 11.4.4 (or newer version) through their respective web browser extension update process. Customers can also manually install the latest version of the KeeperFill browser extension by visiting Keeper’s download page. All previous versions of the browser extension have been deprecated and therefore, will no longer function.
No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and Desktop Applications were not affected and do not require updates.
Please contact us at firstname.lastname@example.org with any questions about this security update. For general help, contact us at email@example.com.
Thank you for staying protected with Keeper.