Notebookcheck Logo

Windows 10's included password manager can pose a security risk

Keeper is being installed by default in new Windows 10 installations. (Source: User ToppestofDogs on Reddit)
Keeper is being installed by default in new Windows 10 installations. (Source: User ToppestofDogs on Reddit)
A Google security researcher has discovered that the included third-party password manager in Windows 10, Keeper, comes with a security vulnerability that injects privileged UI into web apages that exposes a user's passwords.
Cyberlaw Desktop Security Software Windows

A Google Project Zero researcher has discovered a security flaw in the password manager, Keeper that installs by default in new Windows 10 installations, even in MSDN copies. Keeper comes installed both as an app as well as an Edge addon. The researcher, Tavis Ormandy, who has filed a bug report with a 90 day disclosure deadline, discovered the browser addon to have a security flaw that injected privileged UI into web pages — in layman terms, that means hackers can steal your stored passwords when running the addon.

Ormandy had earlier reported the flaw regarding Keeper about 16 months ago but even in newer versions, the flaw apparently persisted as evidenced by this proof-of-concept page that exposed a user's Twitter password stored in Keeper.

In a statement, Microsoft has clarified to Ars Technica that the current bug found in new Windows 10 installations was different from the one Ormandy reported earlier and that the bug is now patched. Users should not have any issues if they have their apps and extensions up to date. But this report does raise some concerns about Microsoft's security measures for third-party apps and the screening process that they undergo. Although the issue would have only arisen if one specifically used Keeper to store their passwords, it still comes across as a glaring oversight by both Keeper developers and Microsoft to have the exploit for a considerable time in the wild before getting it patched.

Source(s)

+ Show Press Release

Related Articles

Windows 10 logo (Source: Microsoft)
Over 100 malicious signed Windows drivers blocked by Microsoft 07/12/2023
After
"123456" and "password" are officially 2018's worst passwords 12/16/2018
Avira Privacy Pal protection modes (Source: Avira)
Avira's Privacy Pal gives you more control over your personal data 04/23/2018
Windows Defender extension for Chrome (Source: Chrome Web Store)
Windows Defender now available as an extension for the Chrome browser 04/20/2018
Windows Defender ATP will now enable deep security insights for older Windows versions. (Source: Microsoft)
Windows Defender ATP coming to Windows 7 and Windows 8.1 02/13/2018
New privacy options will be seen in upcoming Windows 10 releases. (Source: ZDNet)
Latest Windows 10 Insider Preview builds reveal new privacy tools 01/24/2018
The new AMT hack can bypass all known security measures. (Source: Anandtech)
Gone in 30 seconds: New Intel AMT exploit is scarier than you can ever fathom 01/14/2018
Image: Computerworld.com
Apple devices are already protected against Meltdown without any hit to performance 01/05/2018
Microsoft's free Windows 10 upgrade program ends December 31st (Source: Microsoft)
Upgrade to Windows 10 for free before the offer ends on December 31 12/30/2017
The Chrome installer can now be downloaded from the Microsoft Store. (Source: MSPoweruser)
Google throws a bone at the Microsoft Store, offers download of Chrome installer 12/20/2017
The Snapdragon 845 won't feature in Windows 10 devices until 2H 2018. (Source: Microsoft)
Windows 10 on ARM with Snapdragon 845 not due till 2H 2018 12/18/2017
Microsoft Edge - Edit URL for Favorites feature in Windows 10 Insider Build 17046 (Source: Microsoft)
Windows 10 Insider Build 17046 brings more refinements 11/25/2017
An early Windows 10 on ARM benchmark isn't promising. (Source: Microsoft)
Windows 10 on ARM benchmark shows a big hit in performance 11/25/2017
The Settings apps in Windows 10 'Redstone 4' will receive a Fluent Design makeover. (Source: Windows Central)
Windows 10 Settings app to get some Fluent Design makeover in 'Redstone 4' 10/27/2017
Windows Mixed Reality support comes with the Fall Creators Update for Win 10. (Source: Microsoft)
Windows 10 Fall Creators update now rolling out 10/19/2017
Microsoft has called time on Windows 10 Mobile development. (Source: Microsoft)
Windows 10 Mobile is on life support, no new features in the pipeline 10/09/2017
Windows 10 Fall Creators Update is due on October 17th. (Source: Microsoft)
Android and iOS-like app permissions coming to Windows 10 apps 09/13/2017
The Windows 10 Fall Creators Update is all set to roll out starting October 17
Windows 10 Fall Creators Update will officially roll out starting October 17 along with a slew of Windows Mixed Reality headsets 09/01/2017
It appears that users can still upgrade from Windows 7 or 8.1 to Windows 10 for free. (Source: Microsoft)
Two methods of obtaining Windows 10 for free appear to still be open 08/14/2017
Windows 10 Pro for Workstations highlights (Source: Microsoft)
Microsoft Windows 10 Pro for Workstations coming this fall 08/11/2017
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2017 12 > Windows 10's included password manager can pose a security risk
Vaidyanathan Subramaniam, 2017-12-18 (Update: 2017-12-18)