Published in News

Security company sues Ars Technica for reporting bug

by on22 December 2017


Insists that bug in Keeper could not steal password.

Keeper, a password manager software maker, has filed a lawsuit against a tech reporter and Ars Technica over reporting a vulnerability disclosure in its product.

According to ZDNet Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager.

Goodin’s story was published in December 15, and quoted Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

When Ormandy tested the bundled password manager, he found a password stealing bug that was nearly identical to one he previously discovered in 2016. He posted a proof-of-concept exploit for the new vulnerability.

Keeper fixed the bug and said "no customers were adversely affected by this potential vulnerability".

However in the lawsuit Keeper claimed Goodin and his employer, tech site Ars Technica, also named as a defendant, "made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords".

The security firm asserts claims for defamation, and calls for a jury trial. The suit also calls for the retraction and removal of the article, and to award damages to Keeper.

Keeper chief executive Darren Guccione reiterated the company's claims in an email sent to ZDNet, adding that it "vigorously defends its technology, brand, team members and customers".

Kim Zetter, an independent security reporter, said in a tweet that the suit was "ridiculous."

"What a bad precedent this is for a security firm to set and what a dishonorable way to treat a journalist who has covered security for years and takes great pains to get things right", she added.

It is unclear what Keeper is playing at. Illinois, where the case is filed, is said to have "good" laws to protect against so-called strategic lawsuits against public participation, largely seen as ways to protect free speech. However, there is a small matter of cost. Most tech magazines have small kitties to defend against companies who want you to do what you are told. Gawker was a recent case where the money ran out and took the company with it.

Keeper has previously threatened to sue security firm Fox-IT for finding a security flaw in one of its products  . Fox-IT was notified that the public disclosure of the issues that are described in its advisory may be met with swift legal action.

Last modified on 22 December 2017
Rate this item
(0 votes)

Read more about: