SIK-2016-026


Title:

Keeper Password Manager Security Question Bypass

Report ID

SIK-2016-026

Summary:

  • Vendor: Keeper Security, Inc.
  • Product: Keeper® Passwort-Manager
  • Affected Version: Version: 9.3.2-229, platformBuildVersionName=6.0-2166767
  • Severity: medium
  • Short summary: By starting an exported activity in a specific state of the app the Keeper Passwort Manager can be used to inject additional data into the database without authentication.

Details:

If the user is logged out the master password has to be entered to access the passwords in the app. An adversary with local access to the device can now attempt to reset the master password. For this attack scenario it is also assumed that, by having local access to the device the adversary has also access to the mail account which is connected to the keeper account.

By entering the password incorrectly once the adversary can select “Forgot Password” after which a verification code has to be entered.
In this state the Keeper app with minSdkVersion=15, the adversary can launch the activity com.callpod.android_apps.keeper.DeepLinkActivity by using the shell based Activitymanager am:

adb shell am start -n com.callpod.android_apps.keeper/.DeepLinkActivity

In the Keeper app with minSdkVersion=19 he calls the activity by:

adb shell am start -n com.callpod.android_apps.keeper/.ParseDeepLinkActivity -a android.intent.action.VIEW -d "https://kepr.co"

The app then fails to show the login activity but shows an empty password list with a different background. When spawning the com.callpod.android_apps.keeper/.DeepLinkActivity it is possible to add new passwords without providing the master password. When adding new passwords a user is able to attach files to the entry. An adversary could abuse this by attaching malicious files to the password entries. A user might wonder what these files contain when using the keeper desktop application or the online service. This can trick the user to execute code on his machine.

Workaround

Secure your local mail app with e.g. a password. It is then not possible to get the mail with the verification code.

Suggested Mitigation

One possibility to fix the problem could be, starting the com.callpod.android_apps.keeper.DeepLinkActivity activity should always result in prompting the user for the master password when he is logged out.

Timeline

  • 2016-05-25 Vulnerability Discovered
  • 2016-05-25 Vulnerability Reported
  • 2016-10-06 Vulnerability Fixed