Microsoft has reportedly bundled a third-party password manager. The app is called Keeper which features an image of Windows 10 intended for Microsoft developers, a report said on Monday.
Microsoft users expect that Keeper offers more security functions. However, they spotted what they called a gaping security hole in an app. Microsoft users said that Keeper’s password manager is actually on the list of pre-installed apps.
This means that Keeper is installed by default after doing a clean installation of Windows 10 operating system. However, a security research firm claims that the version of Keeper bundled with Windows 10 has the gaping security hole.
What is Keeper?
In a Twitter post, Tavis Ormandy, one of the vulnerability researcher at Google, claims to have discovered a security flaw in Microsoft’s third-party password manager.
“I created a new Windows 10 VM [virtual machine] with a pristine image [of Windows 10] from MSDN, and noticed a third-party password manager is now installed by default. It didn’t take long to find a critical vulnerability,” Ormandy wrote via microblogging site Twitter.
He further shared that Microsoft’s third-party password manager Keeper might be injected with privileged UI into pages.
Ormandy suspects that Keeper is doing the same with the version of Microsoft Windows 10 being shipped globally.
“I think I’m generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password,” Ormandy explained.
Responding to the issue, , Keeper co-founder and CTO Craig Lurey did not take the security flaw in Keeper seriously. Lurey claims that the recent version of Keeper has introduced both features and improvements which include a more secured form filling and several automation features.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension,” Lurey said.
To resolve this issue, we removed the ‘Add to Existing’ flow and have taken additional steps to prevent this potential vulnerability in the future, Lurey added.
Microsoft users can download the Keeper extension 11.4 which fixes the gaping security hole. The app will be rolled out to Edge, Chrome, and Firefox, respectively.