Response to May 15 SECLISTS Report

On May 15, 2018 a security researcher posted an article here: (http://seclists.org/fulldisclosure/2018/May/41). This post addresses a “possible flaw” with the Keeper Commander API. Under a specific theoretical scenario, the researcher claimed that the application software running on Keeper’s servers could be modified to exploit a user’s vault through collusion by Keeper and the deployment of software through our own systems; in order to retrieve the keys to decrypt a user’s vault.

In order to coordinate this matter and address the researcher’s concerns (under the scenario he or she provided), we emailed the researcher on several occasions. The researcher’s replies to us were apparently returned as undeliverable and blacklisted by Google, our email provider. From a process perspective, we communicate and coordinate with security researchers through our public, vulnerability disclosure program which is managed by Bugcrowd. You can view our program details here: https://bugcrowd.com/keepersecurity.

Keeper is SOC 2 Type 1 and Type 2 certified which covers the security, availability, processing integrity, confidentiality and privacy of our customer information. The protection and security of our customer information is our top priority. For additional information covering our security architecture and protocols, please visit https://keepersecurity.com/security.

Update: Security-Related Software Update Published on May 17, 2018

After evaluation of the report and discussions with the researcher, we decided to further bolster our authentication process to address the researcher’s concerns. We have implemented an additional layer of hashing to the API authentication process to ensure that client applications, under the theoretical scenario the researcher presented, cannot be exploited in an internal threat situation.

The solution has been published with Version 12.0.0 of the Keeper application and will roll out within the next 48 hours. We want to emphasize that no exploit has occurred. Keeper is a zero-knowledge product and we’ve added the additional security improvements, which we do on a regular basis in the ordinary course of our business, on our client application to address the researcher’s concerns. We own and publish our applications to our users and we control the API. No outside party has access. We would like to thank the security researcher for their report.

Thank you,

Craig Lurey
CTO & Co-founder
Keeper Security Inc.