Keeper is the name of Windows’ password manager that comes free with every fresh copy of Windows 10. Unfortunately, a critical bug has been identified by Google Project Zero researcher Travis Ormandy in the new version of Keeper and it was not patched for nearly eight days.
“I created a new Windows 10 VM with a pristine image from MSDN and noticed a third-party password manager is now installed by default. It didn’t take long to find a critical vulnerability, ” said Ormandy.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm
— Tavis Ormandy (@taviso) December 15, 2017
The bug in Keeper was found in a fresh copy of Windows 10 downloaded from Microsoft Developer Network directly while the non-bundled version of this app has already been exposed to this bug for over a year.
“I checked and, they’re doing the same thing again with this version,” noted Ormandy.
Due to this bug, Keeper was injecting trusted UI into unreliable web pages through a content script and resultantly, the websites were able to steal user credentials using clickjacking and similar other techniques. Currently, the bug is not made public as it has qualified for a 90-day disclosure.
“I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password,” wrote Ormandy.
To prove his findings, Ormandy also released a proof-of-concept exploit, which demonstrated that when a user saved his Twitter password in Keeper app, it was easily stolen. Keeper developers resolved the issue within 24 hours after Ormandy shared his findings. They also have released an automatic update to the app’s version 11.3.
It is being claimed by Keeper developers that none of its app’s extensions have been affected yet it is true that the bug was not fixed for eight days. however, what is most concerning for Microsoft is that despite partnering with third-party vendors, the end product is still flawed, which means the company is not employing strict review mechanism. This is the main reason Windows 10 is suffering from issues like pre-installed bloatware.
In March this year, the same researcher exposed critical flaws in LastPass Password Manager that allowed attackers to steal credentials from a targeted device without the knowledge of users.