It appears that Microsoft is bundling a Password Manager with fresh installation files of Windows 10 operating system, and over the top of that, the pre-installed Password Manager comes with a Critical Security bug. As we noted above, the critical security vulnerability comes with Windows 10 downloads.
Google security researcher Tavis Ormandy discovered the security flaw in Windows 10 operating system where a pre-installed Password Manager contains a critical security flaw. As part of Project Zero, the researched disclosed the vulnerability. The third-party Keeper password manager that comes pre-installed in some Windows 10 versions has a security flaw.
“I remember filing a bug a while ago about how they were injecting privileged UI into pages. “I checked and, they’re doing the same thing again with this version,” Ormandy explained.
Although the security flaw doesn’t exist in Windows source code, it does affect the Microsoft users security. This security flaw basically allows attackers to steal the passwords. The researcher also demoed the hack on Twitter where he is successfully able to steal the saved passwords. It “is a complete compromise of keeper security, allowing any website to steal any password”.
Microsoft was aware of the security bug and the company says that the fix for the app is on its way. “We are aware of the report about this third-party app, and the developer is providing updates to protect customers,” a Microsoft spokesperson said.
Since Keeper is a reputed company, Keeper password manager has been already updated with the fix for a flaw. Furthermore, Keeper has also confirmed that no customers were affected by this potential vulnerability.
“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a ‘clickjacking’ technique to execute privileged code within the browser extension,” the company behind Keeper password manager explained. Microsoft hasn’t revealed the number of PCs having the Keeper password manager pre-installed but if you have the app installed, you should make sure that the app is up-to-date.