For almost two weeks, Microsoft quietly forced some Windows 10 computers to install a password manager with a browser plugin that contained a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday.
Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a bug that represents "a complete compromise of Keeper security, allowing any website to steal any password." He said he uncovered a flaw in the non-bundled version of the Keeper browser plugin 16 months ago that posed the same threat.
With only basic changes to "selectors," the old proof-of-concept exploit worked on the version installed without notice or permission on his Windows 10 system. Ormandy's post linked to this publicly available proof-of-concept exploit, which steals an end user's Twitter password if it's stored in the Keeper app. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user had the accompanying browser plugin installed. The developer has fixed the flaw in the just-released version 11.4 by removing the vulnerable "add to existing" functionality.