Google’s Security Researcher Tavis Ormandy has discovered a bug in Windows 10’s Password Manager which allows attackers to steal passwords. The flaw is with third-party Keeper password manager app which comes installed Windows 10 devices. Tavis says that the flaw is similar to the one he discovered back in 2016.
I remember filing a bug a while ago about how they were injecting privileged UI into pages. “I checked and, they’re doing the same thing again with this version.
– Tavis Ormandy
Tavis demonstrated the attack and shared the details as a part of Project Zero. The bug is subjected to a 90-day disclosure deadline which means that once 90 days are up, Tavis is free to share the details about the bug and how to exploit it publically.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm
— Tavis Ormandy (@taviso) December 15, 2017
This might sound scary but Keeper has already flagged the issue and as of yesterday, a new update has been pushed to fix the issue. The company addressed it in a blog post:
All customers running Keeper’s browser extension on Edge, Chrome and Firefox have already received Version 11.4.4 through their respective web browser extension update process. Customers using the Safari extension can manually update to version 11.4.4 by visiting Keeper’s download page. No reports of any customers affected by this bug have been reported to Keeper. Mobile Apps and Desktop Apps were not affected and do not require updates.
We hope that the new update fixes the issue and as an advisory, we recommend you to have all the apps up-to-date to prevent any attacks. You can download the extension for Edge from the Microsoft Store below.