CATEGORIES
home News

Windows 10 Bundled Password Manager Found To Have Gaping Security Hole

by Paul LillySunday, December 17, 2017, 10:43 AM EDT
Password

Several months ago, Microsoft began bundling Keeper, a third-party password manager, with an image of Windows 10 that is intended for developers. Users noticed the password manager in the list of pre-installed apps after performing a clean installation of Windows 10 from a freshly downloaded build, so it was not difficult to put two-and-two together. More recently, however, a security researched discovered that the version being shipped with the latest Windows 10 image has a security flaw.

"I created a new Windows 10 VM [virtual machine] with a pristine image [of Windows 10] from MSDN, and noticed a third-party password manager is now installed by default. It didn't take long to find a critical vulnerability," Tavis Ormandy, a vulnerability researcher at Google, posted to Twitter.

Ormandy went into a little more detail saying he had previously heard that Keeper was injected privileged UI into pages, and is again doing the same thing with the version that is being shipped with Windows 10.

"I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password," Ormandy added.

The bottom line is that a malicious website (or a legitimate one that's been hacked) could use the exploit in Keeper to steal a user's passwords. In a blog post, Keeper co-founder and CTO Craig Lurey downplayed the issue, saying the latest version introduces several features and improvements, including better form filling and automation features. He also said that no customers were adversely affected by the vulnerability.

"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension. To resolve this issue, we removed the 'Add to Existing' flow and have taken additional steps to prevent this potential vulnerability in the future," Lurey said.

A newer version of the Keeper extension (11.4.4) fixes the flaw and has been rolling out to Edge, Chrome, and Firefox. Customers running Safari can manually update by heading to Keeper's download page.
Tags:  Microsoft, security, Windows 10, (nasdaq:msft), keeper, password manager
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment