Secret Gifts: Windows 10 Comes Bringing a Free Password Manager with a Critical Security Bug 


Hmm, read our post on Firefox sending an unwanted add-on to users? But, the day isn't over yet. Microsoft is yet again here to win this game of "don't give a crap about what your users think, want, or deserve." The company has been quietly sending a password manager that included a critical security vulnerability with Windows 10 downloads. The second problem? That bug was similar to another security flaw that was first disclosed over 16 months ago and enabled malicious websites to steal user passwords.

"I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default," Google's security researcher Tavis Ormandy said. "I assume this is some bundling deal with Microsoft."

Windows 11 22000.282 Is Out for Beta and Release Preview Channels with a Long List of Fixes

While this problem has been identified in Keeper that came with a fresh copy of Windows 10 downloaded right from Microsoft Developer Network, the non-bundled version of the plugin had this bug exposed over a year ago. The researcher went on to say that he remembered filing a bug about how the password manager was injecting privileged UI into pages.

"I checked and, they're doing the same thing again with this version," he added. "I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works."

"Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password."

If you are a Keeper user, install the newly released 11.4 version that fixes this security vulnerability.

As for the Windows 10 users, researchers said users won't be vulnerable unless they open Keeper password manager and enable it to store their passwords. "This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension," Craig Lurey, co-founder and CTO of Keeper Security, said.

In its statement, Microsoft said that it's "aware of the report about this third-party app, and the developer is providing updates to protect customers."

Keeper has added that the company isn't aware of any attacks using this flaw in the wild. However, this incident just adds into the growing list of headaches for Microsoft's users. At least three different users have reported seeing this unwanted installation, including one on Windows 10 Pro. However, it remains unclear what security vetting processes Microsoft makes the third party software go through before bundling them with Windows 10.