page contents Verification: 9ffcbb9dc8386bf9 A bug in Keeper password manager leads to sparring over "zero-knowledge" claim – News Vire
Home / Tech News / A bug in Keeper password manager leads to sparring over "zero-knowledge" claim

A bug in Keeper password manager leads to sparring over "zero-knowledge" claim

a bug in keeper password manager leads to sparring over zero knowledge claim - A bug in Keeper password manager leads to sparring over "zero-knowledge" claim

(Symbol: record photograph)

Keeper, a password supervisor maker that not too long ago and controversially sued a reporter, has fastened a computer virus safety researcher claimed will have allowed get admission to to a consumer’s non-public knowledge.

The computer virus — which the corporate showed and has since fastened — filed anonymously to a public safety disclosure record, detailed how any individual controlling Keeper’s API server may just achieve get admission to to the decryption key to a consumer’s vault of passwords and different delicate knowledge.

The researcher discovered the problem within the corporate’s Python-powered script referred to as Keeper Commander, which permits customers to rotate passwords, getting rid of the will for hardcoded passwords in tool and techniques.

Learn additionally: Safety 101: Here is stay your knowledge non-public, step-by-step

Consistent with the write-up, the researcher mentioned it is imaginable that somebody in keep an eye on of Keeper’s API — reminiscent of workers on the corporate — may just release an account, since the API server shops the tips used to supply an middleman decryption key.

“What turns out to look within the code of Keeper Commander from November 2015 to these days is blind agree with of the API server,” mentioned the researcher.

“If this disclosure is right kind, the API server can induce Keeper Commander all over login to show decrypt the vault. This may imply a safety breach of the API server or a court docket order might lead to an consumer’s vault knowledge being compromised,” they added.

The possible safety implications of the computer virus apart, the researcher wondered the corporate’s declare that Keeper has “0 data” of consumer knowledge. The corporate insists that workers haven’t any solution to get admission to buyer knowledge, as an example, to meet a seek warrant or a court docket order.

The researcher mentioned, mentioning his computer virus document, that Keeper’s zero-knowledge declare is “improper.”

Keeper leader era officer Craig Lurey showed the computer virus in an e mail.

“After analysis of the document, we determined to additional bolster our authentication procedure to deal with the researcher’s considerations,” mentioned Lurey, confirming the computer virus Wednesday. “We’ve applied an extra layer of hashing to the API authentication procedure to be sure that shopper packages, underneath the state of affairs the researcher introduced, can’t be exploited in an inside risk state of affairs,” he mentioned.

We requested Keeper concerning the researcher’s claims concerning the corporate’s zero-knowledge coverage.

“We’re zero-knowledge,” mentioned Lurey, following the computer virus document.

“The researcher’s document used to be a theoretical state of affairs which by no means befell and extra importantly, one that might have required inside collusion,” he mentioned. Lurey mentioned it could be “each unsuitable and unprofessional” to take that place, he added.

In contrast to different firms, Keeper has no longer so far revealed a transparency document detailing what number of lawful get admission to requests the corporate has gained.

It isn’t the primary computer virus Keeper has fastened up to now few weeks both.

Learn additionally: Password supervisor maker Keeper hit by means of some other safety snafu

The corporate used to be criticized by means of the safety neighborhood after it sued a reporter for alleged defamation — the case used to be later settled out of court docket — after the corporate rejected portions of the reporter’s write-up. Weeks later, a coalition of over 50 safety researchers, professionals, and reporters (disclosure: this reporter integrated) signed a letter rejecting felony threats from firms, together with Keeper.

The corporate additionally left an Amazon S3 garage server uncovered and not using a password, permitting any individual “complete keep an eye on” over its contents, together with studying, changing, and deleting recordsdata.


Contact me securely

Zack Whittaker will also be reached securely on Sign and WhatsApp at 646-755–8849, and his PGP fingerprint for e mail is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Learn Extra

About newsvire

Check Also

1527190383 t mobile bug let anyone see any customers account details 310x165 - T-Mobile bug let anyone see any customer's account details

T-Mobile bug let anyone see any customer's account details

“It is your knowledge. Stay it,” says T-Cell’s retailer in Instances Sq., New York Town. …

Leave a Reply

Your email address will not be published. Required fields are marked *