Google finds a vulnerability in Windows 10’s Password Manager

by Anmol
December 16, 2017

Is Copilot the best AI companion out there? Help us find out by answering a couple of quick questions!

Google’s Security Researcher Tavis Ormandy has discovered a bug in Windows 10’s Password Manager which allows attackers to steal passwords. The flaw is with third-party Keeper password manager app which comes installed Windows 10 devices. Tavis says that the flaw is similar to the one he discovered back in 2016.

I remember filing a bug a while ago about how they were injecting privileged UI into pages. “I checked and, they’re doing the same thing again with this version.

– Tavis Ormandy

Tavis demonstrated the attack and shared the details as a part of Project Zero. The bug is subjected to a 90-day disclosure deadline which means that once 90 days are up, Tavis is free to share the details about the bug and how to exploit it publically.

This might sound scary but Keeper has already flagged the issue and as of yesterday, a new update has been pushed to fix the issue. The company addressed it in a blog post:

All customers running Keeper’s browser extension on Edge, Chrome and Firefox have already received Version 11.4.4 through their respective web browser extension update process. Customers using the Safari extension can manually update to version 11.4.4 by visiting Keeper’s download page. No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and Desktop Apps were not affected and do not require updates.

We hope that the new update fixes the issue and as an advisory, we recommend you to have all the apps up-to-date to prevent any attacks. You can download the extension for Edge from the Microsoft Store below.

Via: Windows Latest; Project Zero; Keeper

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}