Windows 10 Third Party Password Manager Could Have Security IssuePosted by aonenetworks On January 5, 2018
Do you use “Keeper?” If you’re not sure what it is, then you probably don’t. It’s a password manager that Microsoft has been bundling with some of its Windows 10 releases. Either way, there’s a serious flaw in its design that you should be aware of.
Earlier in the year, Tavis Ormandy, a researcher on Google’s Project Zero team, discovered a bug that saw Keeper injecting privileged user information into web pages, exposing all manner of private data unnecessarily to website owners.
The potential damage comes from a user being lured onto a hacker-controlled website, whose owner could siphon up the information (including literally every password stored by Keeper) and resell it, or use it to launch a highly targeted attack against a specific user or device.
The bug was reported, and a patch was issued. Then, in a later version, Ormandy found the same bug cropping up again. He had this to say about the matter:
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and, they’re doing the same thing again with this version.
I think I’m being generous considering this a new issue that qualifies for a ninety-day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.”
Craig Lurey, the CTO of Keeper Security, had this to say when informed of the bug:
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension.”
The two important takeaways here are as follows:
- The company reports that so far as anyone can tell, this flaw has not actually been exploited in the wild.
- Keeper Security has issued an emergency patch that has disabled the “Add to Existing” feature, which is where the problem code actually resides.
This temporary measure was implemented as a stop-gap until the bug can be properly patched.