For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday. The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords.
Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a bug that represents “a complete compromise of Keeper security, allowing any website to steal any password.” He said he uncovered a flaw 16 months ago in the non-bundled version of the Keeper browser plugin that posed the same threat.
With only basic changes to “selectors,” Ormandy’s old proof-of-concept exploit worked on the Keeper version installed without notice or permission on his Windows 10 system. Ormandy’s post linked to this publicly available proof-of-concept exploit, which steals an end user’s Twitter password if it’s stored in the Keeper app. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user had the accompanying browser plugin installed. The developer on Friday fixed the flaw in the just-released version 11.4 by removing the vulnerable “add to existing” functionality. The fix came 24 hours after Ormandy privately reported the flaw to Keeper.