Keeper, an embattled password manager maker currently suing a news reporter for defamation, left a server hosting the company’s installer files exposed with full permissions, allowing anyone to access and replace files with malicious content, a security researcher told ZDNet.
Chris Vickery, who found the exposed server, immediately notified ZDNet of the exposure. We reached out to Keeper by phone and email on Friday. Within an hour of disclosure, the server had been secured.
Keeper executive Aaron Gessner denied the claims.
“Since we did not receive any report from a security researcher and because it’s not a production-facing bucket, we decided to revoke all read and write access while we investigate this report we received from Zack Whittaker at 2pm CST, on March 9,” said Gessner. “This bucket was not public writable, despite the report. Also, there were no private keys in this bucket.”
ZDNet followed up after Keeper’s statement in an email.
“We are continuing to investigate your email and will reply when we have completed a thorough investigation,” Gessner replied.
The Chicago, Ill.-based company owns an Amazon S3 storage server to host installer for its various supported platforms.
But the server wasn’t password protected, and it gave anyone accessing the server “full control” over its contents, including reading, replacing, and deleting files.
Many of the files included archived copies of the company’s Windows, Mac, Android, and iPhone install files. One file on the server was a private code-signing certificate issued by Apple. The certificate, also known as a key, which can be used to sign the company’s iPhone and iPhone apps, was issued to Callpod Inc., a company founded by Keeper chief executive Darren Guccione.
It’s plausible that a skilled attacker could have replaced a legitimate iPhone or iPad installer with a malicious file.
It’s not clear is if the company’s website was directly linking to the files on the exposed server, making it near impossible to determine the risk — if any — to customers.
Keeper recently — and controversially — sued Ars Technica’s security editor, Dan Goodin, over a story he wrote about a vulnerability in Keeper’s password manager’s browser extension.
Although the company confirmed the vulnerability, Goodin was later named in a defamation suit for allegedly making “false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords.”
The news sparked anger in the security community, which criticized the company’s response. Many high-profile researchers and well-known figures in the community argued that such action will likely have a chilling effect on future security research and vulnerability disclosure.
Goodin’s lawyers filed a motion to dismiss the case, but Keeper — still under pressure from the security community — doubled down on its case this week and filed a motion opposing Goodin’s efforts to end the suit.