About 16 months ago, a Google Project Zero researcher found a critical bug in a password manager named Keeper. The bug allowed Keeper to inject its trusted UI into untrusted web pages with a content script. This allowed websites to steal user passwords using techniques like clickjacking.
In a surprising development, Tavis Ormandy, the same researcher, has found that Microsoft bundled the same password manager with Windows 10. “I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default,” he said. Moreover, a similar flaw was again found in this pre-installed password manager, which remained present for eight days.
Ormandy has also shared a proof-of-concept exploit that steals the user’s Twitter password if it’s saved in Keeper application. The bug is currently subject to a 90-day disclosure before it would be made public. In his report, Ormandy said that he was being generous to consider this a new issue which qualifies for 90-day disclosure period.
Within 24 hours after sharing the bug update, Keeper developers have resolved the issue and pushed an automatic update in the form of version 11.3. As per the announcement, no customers using the extensions have been affected. The bug remained present for eight days.
This issue underlines a bigger problem that deals with pre-installed bloatware with Windows 10. Even if Microsoft chooses to partner with certain third-party vendors, it must employ strict review mechanism to avert such incidents.