Keeper Security, a Chicago-based software maker, has sued Conde Nast publications and its Ars Technica website over a recent report alleging problems with one of its products.
The defamation court filed Tuesday in Chicago federal court claims Conde Nast, Ars Technica and the author of the article, Ars security editor Dan Goodin, “acted in reckless disregard for the truth” by publishing a report last week concerning the Keeper Password Manager, a browser plug-in that was recently distributed in new versions of the Windows 10 operating system.
“On December 15, 2015, the Ars Technica website made false and misleading statements about the Keeper software applications suggesting that it had a 16-month-old bug that allowed sites to steal user passwords,” Keeper attorney Dean D. Niro wrote on behalf of the software maker.
“Ars Technica has revised the article twice, but to date has failed to remove the false statements,” Mr. Niro wrote, in turn spurring Keeper to file suit this week asserting claims for defamation and commercial disparagement under Illinois state law.
The article in question — originally titled “Microsoft is forcing users to install a critically flawed password manager: Win 10 version of Keeper has a 16-month-old bug allowing sites to steal passwords” — claimed that a vulnerable version of Keeper’s software was being quietly distributed in new versions of Windows, potentially putting an unknown number of users at risk of losing control of their own credentials.
The vulnerability was initially discovered by Tavis Ormandy, a security researcher for Google who publicly disclosed the bug a day prior to the Ars report.
“[T]his is a complete compromise of Keeper security, allowing any website to steal any password,” Mr. Ormandy announced Thursday, accompanied by a proof-of-concept demonstrating the vulnerability.
Keeper’s developers fixed the report the following day, 24 hours after Mr. Ormandy privately approached the company, Ars reported.
The Ars article published that same day and updated twice after receiving input from Keeper, and the copy of the report online at the time of Tuesday’s lawsuit was re-titled, “For 8 days Windows bundled a password manager with a critical plugin flaw: Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords.”
Keeper claims the report is still misleading, and the software maker wants a jury trial in hopes of receiving damages in addition to securing a retraction and the article’s removal.
“There has been no reported or actual security breach or loss of customer information in connection with the subject of the article,” according to its lawsuit.
Neither Conde Nast nor Mr. Goodin immediately responded to requests for comment. Mr. Ormandy referred to Google when reached by The Washington Times, but the company did not immediately reply to a similar request.
Other cybersecurity professionals, meanwhile, have taken aim at Keeper for setting its sight on the website’s security reporting.
“In my professional opinion, suing those who discuss software vulnerabilities is itself a reliable indication of dangerously vulnerable software and incompetent security practices,” tweeted Matt Blaze, a University of Pennsylvania computer science professor and renowned cryptologist.
“This is gross, litigious bullying,” tweeted Wired tech reporter Andy Greenberg.
Keeper “vigorously defends its technology, brand, team members and customers,” CEO Darren Guccione told ZDNet, where the lawsuit was first reported Wednesday.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.