- #Keeper password manager initial release mac os x#
- #Keeper password manager initial release install#
- #Keeper password manager initial release update#
- #Keeper password manager initial release full#
Given the lack of public information regarding the risks that are associated with the previous version of the application, we regard it as our responsibility to publish a detailed advisory. Our mission at Fox-IT is to make technical and innovative contributions for a more secure society. Fox-IT was also notified that the public disclosure of the issues that are described in this advisory may be met with swift legal action.
#Keeper password manager initial release update#
However, the description of the update on the App Store does not specify this version resolves any security issues. Keeper Security Inc’s legal counsel has since notified Fox-IT that “that the issue raised has been addressed and resolved in the new version of Keeper (Version 6.0) which is available on the App Store”. has refused to constructively engage in a responsible disclosure procedure and has requested all further communication to be addressed to the company’s legal counsel. within 24 hours of its initial discovery. Vendor responseįox-IT has reported the vulnerability in Keeper® Password & Data Vault to Keeper Security Inc. Any iPhone, iPod touch and iPad running an iOS version up to 6.1.2 can generally be jailbroken. Consequently, the confidentiality of information that is stored by version 5.3 (and possibly earlier versions) of the Keeper® Password & Data Vault application is at risk on iOS devices that can be jailbroken. The information that can be retrieved includes the master password, e-mail address, the secret question and answer as well as the content of entries in the Keeper® Password & Data Vault application, such as URLs, usernames and passwords.Īn attacker can obtain access to the file system of an iOS device by performing a jailbreak. Impactīy obtaining access to the file system of an iOS device, an attacker can retrieve confidential information from the Keeper® Password & Data Vault application directory.
These unencrypted cache files are persistent across reboots. The confidential information can be retrieved from the table cfurl_cache_response in the SQLite3 database or directly from the file Cache.db-wal. This directory is used to store the application’s cache. More specifically, the Keeper® Password & Data Vault application folder was found to contain SQLite3 database files in the following subdirectory /Library/Caches/D4D2433BGC/. The confidential information that is posted and cached amongst others includes the unencrypted version of the master password and the content of entries that are stored within the application. The unencrypted content of this traffic is subsequently stored as local cache on the file system of the device. Version 5.3 of the Keeper® Password & Data Vault application for iOS has been found to perform various POST-requests to and/or using SSL/TLS that contain confidential information.
#Keeper password manager initial release mac os x#
Versions of the Keeper® software are available for multiple platforms including Android, BlackBerry, iOS, Windows Phone, Linux, Mac OS X and Windows. The iOS application is advertised to secure all confidential information with military-grade encryption (AES). Keeper® Password & Data Vault is a popular application that is used to store and access passwords and other confidential information. Published: 05-April-2013 16:33 CET Background Resolved: 04-April-2013, according to the vendor’s legal counsel Description: Unencrypted storage of confidential informationĪffects: Keeper® Password & Data Vault v5.3 for iOS
#Keeper password manager initial release full#
The full advisory (that includes all technical details) can be found below.
#Keeper password manager initial release install#
We urge all users of this application to install this update as soon as they can, because user information that the app is meant to protect, including the user’s master password, was found to be stored unencrypted. Paul Pols of Fox-IT’s penetration testing team discovered a critical vulnerability in version 5.3 of the “Keeper® Password & Data Vault” app for iPhones, iPods touch and iPads.Īn update was released today that is said to resolve the issues that we identified.
0 kommentar(er)
