Windows 10 bundles a briefly vulnerable password manager

Keeper exposed punters to drive-by click-jack pwnage

Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.

On Friday, Ormandy publicly disclosed the bug, which lies not in the Microsoft operating system but in an included third-party Keeper password manager.

He wrote: “I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“

A full description of the bug is in the older issue Ormandy linked to. It can be exploited by a malicious webpage to read an arbitrary password that would be inserted into a site's login form by Keeper's browser extension.

To demonstrate the flaw, Ormandy produced a proof-of-concept exploit that can steal a Twitter password from a vulnerable Keeper user.

Keeper Security has issued a patch to address the bug.

While releasing the fix, the company noted that a victim would have to be lured to an attacker's webpage while using the browser extension. ®




Biting the hand that feeds IT © 1998–2018