A noted Google developer has discovered a troubling flaw in a popular password manager that Windows 10 installs by default. Hackers could get their hands on user passwords via clickjacking and/or malicious code-injection techniques.
Google Project Zero researcher Tavis Ormandy made the discovery while playing around with a Windows 10 virtual machine.
He offers a description of the vulnerability on chromium.org, the forum dedicated to the open-source projects behind the Chrome browser and Chrome OS.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” writes Ormandy. “I checked and, they’re doing the same thing again with this version. … this is a complete compromise of Keeper security, allowing any website to steal any password.”
He offers a proof-of-concept to show how an attacker could leverage the flaw to steal someone’s Twitter password.
When the people behind Keeper caught wind of the news, they acknowledged the bug and rushed to fix it.
“To resolve this issue, we removed the ‘Add to Existing’ flow and have taken additional steps to prevent this potential vulnerability in the future,” the Keeper team writes on the company blog.
“Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously,” the team says. “The security and protection of customer information and data is our top priority at Keeper. From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.”
So far, there have been no reports of any customers affected by the bug, while the company’s mobile and desktop apps remain unaffected – only the browser extensions seem to be vulnerable.
Since the bug’s disclosure, the Keeper extensions for Edge, Chrome and Firefox have received an automatic update with the fix. Safari users, however, need to manually download and install version 11.4.4 (or newer) by visiting Keeper’s download page.
Such a flaw defeats the entire purpose of a password manager, and the fact that Windows 10 relies on the software (by default) to store user passwords makes Ormandy’s discovery all the more worrying. Hopefully, the Keeper team won’t let such bugs slip through in the future.