Security firm Keeper sues news reporter over vulnerability story

The vulnerability was fixed, but Keeper now demands that the allegedly defamatory article is pulled offline.
Written by Zack Whittaker, Contributor

News site Ars Technica. (Screenshot: ZDNet/CBS Interactive)

Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure.

Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager.

Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

Goodin was one of the first to cover news of the vulnerability disclosure. He wrote that the password manager was bundled in some versions of Windows 10. When Ormandy tested the bundled password manager, he found a password stealing bug that was nearly identical to one he previously discovered in 2016.

Ormandy also posted a proof-of-concept exploit for the new vulnerability.

The bug has since been fixed, according to Ormandy's follow-up note, which triggered the release of the report. Goodin's story was amended twice, which was noted in the story's footer.

Keeper confirmed the bug was fixed in its own blog post, which said "no customers were adversely affected by this potential vulnerability."

Keeper said in its lawsuit that Goodin and his employer, tech site Ars Technica, also named as defendant, "made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords."

The security firm asserts claims for defamation, and calls for a jury trial. The suit also calls for the retraction and removal of the article, and to award damages to Keeper. The full complaint can be found here.

Keeper chief executive Darren Guccione reiterated the company's claims in an email sent to ZDNet, adding that it "vigorously defends its technology, brand, team members and customers."

Ken Fisher, editor-in-chief for Ars Technica, did not immediately return a request for comment by email. Ormandy referred comment to Google, which declined to comment. We also reached out to Microsoft for comment but didn't hear back. (If that changes, we will update.)

Several security experts and researchers on Twitter decried the lawsuit.

"This is bullying and Goodin is [definitely] def in the top 1 percent [of] knowledgeable journalists," said Matthieu Suiche, founder of Comae Technologies, a Dubai-based security firm, in a tweet.

"If Keeper Security thinks this will make their software more secure, this will only irreversibly damage their reputation as a security company," he added.

Kim Zetter, an independent security reporter, said in a tweet that the suit was "ridiculous."

"What a bad precedent this is for a security firm to set and what a dishonorable way to treat a journalist who has covered security for years and takes great pains to get things right," she added.

It remains unclear how successful the suit will be. Illinois, where the case is filed, is said to have "good" laws to protect against so-called strategic lawsuits against public participation, largely seen as ways to protect free speech.

Keeper threatened to sue security firm Fox-IT for finding a security flaw in one of its products.

The case is 1:17-cv-09117 in the northern district of Illinois.

Editorial standards