Severe security flaw found in Windows 10-bundled password manager

News by Mark Mayne

A Google researcher has uncovered a severe security flaw in a password management tool that has been widely bundled with Windows 10.

A Google researcher has uncovered a severe security flaw in a password management tool that has been widely bundled with Windows 10.

In the latest of a ‘tit for tat' vulnerabilities battle between the two tech giants, perennial bug hunter Tavis Ormandy from Google's Project Zero revealed that the Keeper password manager had been injecting "privileged UI" into pages. Ormandy claims he raised the issue with Microsoft previously about the same issue in a previous version of Keeper.

However, he explained: "I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and they're doing the same thing again with this version. This is a complete compromise of Keeper security, allowing any website to steal any password."

In fact, he put together this demo page for Keeper users to see the bug in action. Essentially a browser plugin bug, the issue means that a malicious site could have stolen user passwords with ease. Keeper responded rapidly to the report, blocking the exploit within 24 hours of notification by Ormandy.

“To resolve this issue, we removed the “Add to Existing” flow and have taken additional steps to prevent this potential vulnerability in the future. Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously”, the company said in a blog post.

Javvad Malik, security advocate, AlienVault, told SC Media UK: “All software will eventually have a vulnerability discovered at some point. Security software such as password managers are no exception to the rule. It is fortunate that researchers such as Tavis work to uncover and disclose such vulnerabilities. Keeper demonstrated it does take security seriously with an emergency patch issued within 24 hours of receiving the vulnerability report. A very quick turnaround by any measure.”

Mark Kedgleys, CTO NNT told SC Media UK: “When a big breach like Yahoo or Equifax is reported, the real problem is that users habitually re-use passwords for other services, meaning they haven't just been compromised for the service affected, but for every other online service. Password Vault utilities like Keeper are a great innovation to address this problem, so I hope this doesn't leave users feeling wary of going down this path. It's fortunate the industry does have established protocols for reporting unforeseen vulnerabilities and good to hear the manufacturer was able to quickly address the problem.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews