Google security bod finds security flaw in Microsoft Windows 10 password manager

Critical security update released for Microsoft password management software

A security researcher working for American technology giant Google claims to have identified a security flaw in a password management tool often bundled with Windows 10.

Tavis Ormandy, for whom finding security flaws is both a job and a hobby, said that the Keeper password manager had been injecting "privileged UI" into pages.

He noticed the bug a while back, but claims that the issue is still apparent with the current version of Keeper. Microsoft built-in the password manager into some versions of Windows 10 in order to encourage users' to improve their security practices.

To demonstrate the dangers posed by the vulnerability, Ormandy set up a demo page that shows how the issue works. He's already started developing a patch.

Although Ormandy found the issue in the past, he said it's still affecting a few Windows 10 products and has warned users to check for the vulnerability.

"I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked, and they're doing the same thing again with this version," he said.

Ormandy explained that the vulnerability means any website can steal users' passwords. "I think I'm being generous considering this is a new issue that qualifies for a 90-day disclosure, as I literally just changed the selectors and the same attack works,' he said.

"Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password."

Craig Lurey, co-founder and chief technology officer of Keeper, said that Ormandy got in touch as soon as he identified the security vulnerability. It emerged after a recent feature update.

"Yesterday (Dec 14), Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update," he said.

It works by tricking users to access dodgy websites. Lurey explained: "This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension.

However, the company has rushed out an update. "To resolve this issue, we removed the 'Add to Existing flow' and have taken additional steps to prevent this potential vulnerability in the future," he said.

"Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously.

"The security and protection of customer information and data is our top priority at Keeper. From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours."

He added: "All customers running Keeper's browser extension on Edge, Chrome and Firefox have already received Version 11.4.4 (or newer version) through their respective web browser extension update process.

"Customers using the Safari extension can manually update to version 11.4.4 (or newer) by visiting Keeper's download page."