Several months ago, Microsoft began bundling Keeper, a third-party password manager, with an image of Windows 10 that is intended for developers. Users noticed the password manager in the list of pre-installed apps after performing a clean installation of Windows 10 from a freshly downloaded build, so it was not difficult to put two-and-two together. More recently, however, a security researched discovered that the version being shipped with the latest Windows 10 image has a security flaw.
"I created a new Windows 10 VM [virtual machine] with a pristine image [of Windows 10] from MSDN, and noticed a third-party password manager is now installed by default. It didn't take long to find a critical vulnerability," Tavis Ormandy, a vulnerability researcher at Google, posted to Twitter.
Ormandy went into a little more detail saying he had previously heard that Keeper was injected privileged UI into pages, and is again doing the same thing with the version that is being shipped with Windows 10.
"I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password," Ormandy added.
The bottom line is that a malicious website (or a legitimate one that's been hacked) could use the exploit in Keeper to steal a user's passwords. In a blog post, Keeper co-founder and CTO Craig Lurey downplayed the issue, saying the latest version introduces several features and improvements, including better form filling and automation features. He also said that no customers were adversely affected by the vulnerability.
"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension. To resolve this issue, we removed the 'Add to Existing' flow and have taken additional steps to prevent this potential vulnerability in the future," Lurey said.
A newer version of the Keeper extension (11.4.4) fixes the flaw and has been rolling out to Edge, Chrome, and Firefox. Customers running Safari can manually update by heading to Keeper's download page.