Microsoft is quietly forcing some Windows 10 computers to install a password manager that contains a critical vulnerability disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday.
Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a critical flaw he had found in August 2016 in the non-bundled version of Keeper. The bug, he said, represents “a complete compromise of Keeper security, allowing any website to steal any password.”
With only basic changes to “selectors,” the old proof-of-concept exploit worked on the version installed without notice or permission on his Windows 10 system. Ormandy’s post linked to this publicly available proof-of-concept exploit, which steals an end user’s Twitter password if it’s stored in the Keeper app. Ormandy said Keeper developers have released a fixed version. Keeper representatives didn’t immediately respond to questions for this post.