When you pay for security software, you probably hope it’s protecting you — not creating a massive security breach in and of itself. But if you ran Trend Micro’s password manager, enabled by default for all Trend Micro users, any site on the web could have executed any app on your computer just by including a bit of code.
A patch issued today mostly solves the problem. But as Ars Technica reports, that only happened because Google Project Zero team member Tavis Ormandy publicly berated the company.
“I don’t even know what to say — how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?” wrote Ormandy in a long email exchange the company has since made public.