Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
May 18, 2018 03:20 pm

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems. According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Read more of this story at Slashdot.


Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/zTD4ZOR7jy0/a-bug-in-keeper-password-manager-leads-to-sparring-over-zero-knowledge-claim

Share this article:    Share on Facebook
View Full Article

Slashdot

Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..

More About this Source Visit Slashdot