His development company Keeper password manager found once more not to be so interested in safety. This time, he was using a server that allowed anyone to access and replace files with malicious content, according to a security researcher.
Chris Vickery, who discovered the exposed server, immediately notified ZDNet that it attempted to contact Keeper by phone and email on Friday. An hour after the revelation, Mr server was insured.
However, the director of Aaron Gessner refused any allegations.
The Chicago-based company has a storage server on Amazon S3 to host installers for its various supported platforms.
However, the server was not password protected and gave access to anyone and "full control" of its contents (reading, replacing and deleting files).
Many of the files included installation files for Windows, Mac, Android and iPhone. A file on the server had a private signature certificate issued by Apple. The certificate can be used to sign the company's iPhone applications, and was issued to Callpod Inc., a company founded by Keeper CEO Darren Guccione.
Naturally, a specialized attacker could replace a legitimate iPhone or iPad install program with a malicious file.
Let's say the Keeper application developer recently sued the researcher security by Ars Technica, And Goodin, because he posted a vulnerability that he discovered in Keeper's password manager browser extension.
Although the company confirmed the vulnerability, it filed a lawsuit against Goodin for allegedly making "false and misleading statements about the Keeper application."
The news caused a lot of backlash in the security community, which criticized the company's response. Many high-level researchers and well-known figures in the community have claimed that such energy will likely have bad results in future security investigations and vulnerability disclosures.