Response to Princeton’s Center for Information Technology Policy Article

Keeper is not vulnerable to the attack outlined by the Center for Information Technology Policy research article titled “No boundaries for user identities: Web trackers exploit browser login managers”.

1. Keeper does not auto-fill credentials on any website without the user’s explicit consent.

2. Keeper enforces a same-origin policy when filling into embedded frames. For example, a malicious advertisement that embeds an iFrame into a website with a login form will not be filled because the origin domain (e.g. google.com) does not match.

3. Keeper never fills information into invisible form elements. Malicious pages that create invisible login forms will not be filled by Keeper at any time.

4. Keeper performs “Trusted” checks on all clicks which perform actions such as filling a password or displaying record information. Only a trusted human-generated click can produce a form filling event.

If you have any questions regarding this report, please email us at:
security@keepersecurity.com.