Notebookcheck

Windows 10's included password manager can pose a security risk

Keeper is being installed by default in new Windows 10 installations. (Source: User ToppestofDogs on Reddit)
Keeper is being installed by default in new Windows 10 installations. (Source: User ToppestofDogs on Reddit)
A Google security researcher has discovered that the included third-party password manager in Windows 10, Keeper, comes with a security vulnerability that injects privileged UI into web apages that exposes a user's passwords.

Working For Notebookcheck

Are you a techie who knows how to write? Then join our Team!

Currently wanted: 
German-English-Translator - Details here

A Google Project Zero researcher has discovered a security flaw in the password manager, Keeper that installs by default in new Windows 10 installations, even in MSDN copies. Keeper comes installed both as an app as well as an Edge addon. The researcher, Tavis Ormandy, who has filed a bug report with a 90 day disclosure deadline, discovered the browser addon to have a security flaw that injected privileged UI into web pages — in layman terms, that means hackers can steal your stored passwords when running the addon.

Ormandy had earlier reported the flaw regarding Keeper about 16 months ago but even in newer versions, the flaw apparently persisted as evidenced by this proof-of-concept page that exposed a user's Twitter password stored in Keeper.

In a statement, Microsoft has clarified to Ars Technica that the current bug found in new Windows 10 installations was different from the one Ormandy reported earlier and that the bug is now patched. Users should not have any issues if they have their apps and extensions up to date. But this report does raise some concerns about Microsoft's security measures for third-party apps and the screening process that they undergo. Although the issue would have only arisen if one specifically used Keeper to store their passwords, it still comes across as a glaring oversight by both Keeper developers and Microsoft to have the exploit for a considerable time in the wild before getting it patched.

Source(s)

+ Show Press Release
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 12 > Windows 10's included password manager can pose a security risk
Vaidyanathan Subramaniam, 2017-12-18 (Update: 2017-12-18)
Vaidyanathan Subramaniam
Vaidyanathan Subramaniam - News Editor
I am a cell and molecular biologist and computers have been an integral part of my life ever since I laid my hands on my first PC which was based on an Intel Celeron 266 MHz processor, 16 MB RAM and a modest 2 GB hard disk. Since then, I’ve seen my passion for technology evolve with the times. From traditional floppy based storage and running DOS commands for every other task, to the connected cloud and shared social experiences we take for granted today, I consider myself fortunate to have witnessed a sea change in the technology landscape. I honestly feel that the best is yet to come, when things like AI and cloud computing mature further. When I am not out finding the next big cure for cancer, I read and write about a lot of technology related stuff or go about ripping and re-assembling PCs and laptops.