Windows 10's included password manager can pose a security risk

Keeper is being installed by default in new Windows 10 installations. (Source: User ToppestofDogs on Reddit)

A Google security researcher has discovered that the included third-party password manager in Windows 10, Keeper, comes with a security vulnerability that injects privileged UI into web apages that exposes a user's passwords.

Vaidyanathan Subramaniam, Published 12/18/2017

A Google Project Zero researcher has discovered a security flaw in the password manager, Keeper that installs by default in new Windows 10 installations, even in MSDN copies. Keeper comes installed both as an app as well as an Edge addon. The researcher, Tavis Ormandy, who has filed a bug report with a 90 day disclosure deadline, discovered the browser addon to have a security flaw that injected privileged UI into web pages — in layman terms, that means hackers can steal your stored passwords when running the addon.

Ormandy had earlier reported the flaw regarding Keeper about 16 months ago but even in newer versions, the flaw apparently persisted as evidenced by this proof-of-concept page that exposed a user's Twitter password stored in Keeper.

In a statement, Microsoft has clarified to Ars Technica that the current bug found in new Windows 10 installations was different from the one Ormandy reported earlier and that the bug is now patched. Users should not have any issues if they have their apps and extensions up to date. But this report does raise some concerns about Microsoft's security measures for third-party apps and the screening process that they undergo. Although the issue would have only arisen if one specifically used Keeper to store their passwords, it still comes across as a glaring oversight by both Keeper developers and Microsoft to have the exploit for a considerable time in the wild before getting it patched.

Source(s)

Engadget

ArsTechnica

+ Show Press Release

"123456" and "password" are officially 2018's worst passwords 12/16/2018

Avira Privacy Pal protection modes (Source: Avira)

Avira's Privacy Pal gives you more control over your personal data 04/23/2018

Windows Defender extension for Chrome (Source: Chrome Web Store)

Windows Defender now available as an extension for the Chrome browser 04/20/2018

Windows Defender ATP will now enable deep security insights for older Windows versions. (Source: Microsoft)

Windows Defender ATP coming to Windows 7 and Windows 8.1 02/13/2018

New privacy options will be seen in upcoming Windows 10 releases. (Source: ZDNet)

Latest Windows 10 Insider Preview builds reveal new privacy tools 01/24/2018

The new AMT hack can bypass all known security measures. (Source: Anandtech)

Gone in 30 seconds: New Intel AMT exploit is scarier than you can ever fathom 01/14/2018

Apple devices are already protected against Meltdown without any hit to performance 01/05/2018

Microsoft's free Windows 10 upgrade program ends December 31st (Source: Microsoft)

Upgrade to Windows 10 for free before the offer ends on December 31 12/30/2017

The Chrome installer can now be downloaded from the Microsoft Store. (Source: MSPoweruser)

Google throws a bone at the Microsoft Store, offers download of Chrome installer 12/20/2017

The Snapdragon 845 won't feature in Windows 10 devices until 2H 2018. (Source: Microsoft)

Windows 10 on ARM with Snapdragon 845 not due till 2H 2018 12/18/2017

Microsoft Edge - Edit URL for Favorites feature in Windows 10 Insider Build 17046 (Source: Microsoft)

Windows 10 Insider Build 17046 brings more refinements 11/25/2017

An early Windows 10 on ARM benchmark isn't promising. (Source: Microsoft)

Windows 10 on ARM benchmark shows a big hit in performance 11/25/2017

The Settings apps in Windows 10 'Redstone 4' will receive a Fluent Design makeover. (Source: Windows Central)

Windows 10 Settings app to get some Fluent Design makeover in 'Redstone 4' 10/27/2017

Windows Mixed Reality support comes with the Fall Creators Update for Win 10. (Source: Microsoft)

Windows 10 Fall Creators update now rolling out 10/19/2017

Microsoft has called time on Windows 10 Mobile development. (Source: Microsoft)

Windows 10 Mobile is on life support, no new features in the pipeline 10/09/2017

Android and iOS-like app permissions coming to Windows 10 apps 09/13/2017

The Windows 10 Fall Creators Update is all set to roll out starting October 17

Windows 10 Fall Creators Update will officially roll out starting October 17 along with a slew of Windows Mixed Reality headsets 09/01/2017

Two methods of obtaining Windows 10 for free appear to still be open 08/14/2017

Windows 10 Pro for Workstations highlights (Source: Microsoft)

Microsoft Windows 10 Pro for Workstations coming this fall 08/11/2017

Loading Comments

Comment on this article

Red Xiaomi Mi A1 Special Edition hi...

AIM is now gone for good

Vaidyanathan Subramaniam - Managing Editor - 1787 articles published on Notebookcheck since 2012

Though a cell and molecular biologist by training, I have been drawn towards computers from a very young age ever since I got my first PC in 1998. My passion for technology grew quite exponentially with the times, and it has been an incredible experience from being a much solicited source for tech advice and troubleshooting among family and friends to joining Notebookcheck in 2017 as a professional tech journalist. Now, I am a Lead Editor at Notebookcheck covering news and reviews encompassing a wide gamut of the technology landscape for Indian and global audiences. When I am not hunting for the next big story or taking complex measurements for reviews, you can find me unwinding to a nice read, listening to some soulful music, or trying out a new game.

contact me via: @Geeky_Vaidy

Please share our article, every link counts!

.170

> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 12 > Windows 10's included password manager can pose a security risk

Vaidyanathan Subramaniam, 2017-12-18 (Update: 2017-12-18)

Windows 10's included password manager can pose a security risk

Source(s)

Press Release

Related Articles