At Keeper our top priority is the protection and privacy of our customer’s data. Through our successful launch of the Bugcrowd vulnerability disclosure program, we have connected with many researchers who are working to improve the security and privacy of applications every day.
On June 8, 2018, we received a preliminary research report from a group of researchers (Alessio Merlo, Simone Aonzo, Giulio Tavella, Yanick Fratantonio*). This thorough and detailed report analyzed several leading password managers on the market including Google Smart Lock and Android’s Autofill API recently released into Android Oreo (an explanation of the different forms of Android Autofill can be read in our blog post). A section of the report is dedicated to an analysis of the KeeperFill feature which provides the capability to fill a login and password into a native application or website.
The report states that a malicious application on the app store could theoretically be downloaded by a user, and Keeper does not stop the user from filling a password on the malicious application. This is because Keeper uses information from Google Play to suggest records that the user may want to fill. To be clear, at this time no Keeper users have reported a phishing attack or known to have installed malicious applications.
To exploit this issue, the following steps need to be taken (on Android Oreo and newer versions):
- Malicious actor publishes a fake app on Google Play containing a website URL in the metadata which they do not own.
- User installs the malicious / fake app from the Google Play store
- The user opens the malicious app, opens the login screen and selects KeeperFill
- The user taps “Fill” to Autofill the login and/or password into the application
- The user accepts a security prompt (“Do you want to link this record …?”)
- The malicious application would capture the password filled by Keeper (this does not affect other records)
As described above, the user must perform several steps including the manual intent to fill a password. Keeper only presents the option to fill a login or password for an application from Google’s store listing references that match a specific URL. After presenting the user with the available matches, the user can elect to fill the password. Keeper never auto-fills login and password credentials into any application without the user’s consent.
As part of the implementation of Android Autofill, one of the strict requirements is to prompt the user for fill confirmation on a new app or website. This requirement has been in place since our initial launch of Autofill with Android Oreo. This security requirement was established by Google and we believe that this is sufficient to alert users. However, to add additional clarification, we have modified the language of the popup to be more descriptive:
We have also added this popup message to our legacy KeeperFill scenario which is being deprecated when the Autofill API is fully supported across all apps and web browsers beginning with Android P.
We have published this change in Keeper for Android version 12.1.1 which was released in July 2018 as part of our monthly application update, along with other planned improvements. As always, we recommend checking the authenticity of the applications you are installing. If you suspect an application is malicious or fake, please report it to Google at this link.
We would like to thank the research team (Alessio Merlo, Simone Aonzo, Giulio Tavella, Yanick Fratantonio) for the highly detailed and professional research work.
If you have any questions, please send us an email to firstname.lastname@example.org. For more information about Keeper’s vulnerability disclosure program or to file a bug, please visit https://bugcrowd.com/keepersecurity.
*Keeper has been communicating closely with Yanick Fratantonio. For up to date information about the report and our response, please check his Twitter.
CTO & Co-founder
Keeper Security Inc.