Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user’s private data.
The bug — which the company confirmed and has since fixed — filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper’s API server could gain access to the decryption key to a user’s vault of passwords and other sensitive information.
The researcher found the issue in the company’s Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.
According to the write-up, the researcher said it’s possible that someone in control of Keeper’s API — such as employees at the company — could unlock an account, because the API server stores the information used to produce an intermediary decryption key.
“What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server,” said the researcher.
“If this disclosure is correct, the API server can induce Keeper Commander during login to reveal how to decrypt the vault. This would mean a security breach of the API server or a court order may result in an user’s vault information being compromised,” they added.
The potential security implications of the bug aside, the researcher questioned the company’s claim that Keeper has “zero knowledge” of user data. The company insists that employees have no way to access customer data, for example, to satisfy a search warrant or a court order.
The researcher said, citing his bug report, that Keeper’s zero-knowledge claim is “incorrect.”
Keeper chief technology officer Craig Lurey confirmed the bug in an email.
“After evaluation of the report, we decided to further bolster our authentication process to address the researcher’s concerns,” said Lurey, confirming the bug Wednesday. “We have implemented an additional layer of hashing to the API authentication process to ensure that client applications, under the scenario the researcher presented, cannot be exploited in an internal threat situation,” he said.
We asked Keeper about the researcher’s claims about the company’s zero-knowledge policy.
“We are zero-knowledge,” said Lurey, following the bug report.
“The researcher’s report was a theoretical scenario which never occurred and more importantly, one that would have required internal collusion,” he said. Lurey said it would be “both improper and unprofessional” to take that position, he added.
Unlike other companies, Keeper has not to date published a transparency report detailing how many lawful access requests the company has received.
It’s not the first bug Keeper has fixed in the past few weeks either.
The company was criticized by the security community after it sued a reporter for alleged defamation — the case was later settled out of court — after the company rejected parts of the reporter’s write-up. Weeks later, a coalition of over 50 security researchers, experts, and journalists (disclosure: this reporter included) signed a letter rejecting legal threats from companies, including Keeper.
The company also left an Amazon S3 storage server exposed without a password, allowing anyone “full control” over its contents, including reading, replacing, and deleting files.