Windows 10's included password manager can pose a security risk
A Google Project Zero researcher has discovered a security flaw in the password manager, Keeper that installs by default in new Windows 10 installations, even in MSDN copies. Keeper comes installed both as an app as well as an Edge addon. The researcher, Tavis Ormandy, who has filed a bug report with a 90 day disclosure deadline, discovered the browser addon to have a security flaw that injected privileged UI into web pages — in layman terms, that means hackers can steal your stored passwords when running the addon.
Ormandy had earlier reported the flaw regarding Keeper about 16 months ago but even in newer versions, the flaw apparently persisted as evidenced by this proof-of-concept page that exposed a user's Twitter password stored in Keeper.
In a statement, Microsoft has clarified to Ars Technica that the current bug found in new Windows 10 installations was different from the one Ormandy reported earlier and that the bug is now patched. Users should not have any issues if they have their apps and extensions up to date. But this report does raise some concerns about Microsoft's security measures for third-party apps and the screening process that they undergo. Although the issue would have only arisen if one specifically used Keeper to store their passwords, it still comes across as a glaring oversight by both Keeper developers and Microsoft to have the exploit for a considerable time in the wild before getting it patched.