Today, Zack Whittaker, a security reporter at ZDNet, advised us that one of Keeper’s Amazon S3 buckets had writable access from unauthorized users. An “S3 bucket” is a Simple Storage Solution which is used to store files, at Amazon Web Services.
The Amazon S3 bucket in question was a staging area for QA testing. This S3 bucket was not used to store production or customer-facing applications. Binaries used for production distribution are stored in different S3 buckets with restricted access to Keeper’s development team.
The email we received from ZDNet mentioned the storage of a code signing certificate, however, this particular file as well as the S3 bucket in question, did not contain any private keys or any private information that could be used to compromise the security of any software offered by Keeper. The security team locked down the isolated S3 bucket and subsequently conducted a thorough investigation on all S3 buckets in Keeper’s infrastructure. Keeper confirmed the security protocols and access restrictions on its remaining S3 buckets.
No production-facing or customer data was stored in the S3 bucket referenced in ZDNet’s report. Additionally, no private keys or certificates used to sign Keeper’s production binaries, were in the reported S3 bucket and no application in public circulation, was able to be tampered with. The products available on App Stores and Keeper’s websites were not compromised.
Keeper would like to thank both the security analyst and Zack at ZDNet, for reporting this issue to us earlier today. We respect and support the InfoSec community as we work together to continually improve the security of our products and the cybersecurity industry.
CTO & Co-founder
Keeper Security Inc.