For 8 days Windows bundled a password manager with a critical plugin flaw

For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday. The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords.

Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found the browser plugin the app prompted him to enable contained a bug that represents “a complete compromise of Keeper security, allowing any website to steal any password.” He said he uncovered a flaw 16 months ago in the non-bundled version of the Keeper browser plugin that posed the same threat.

With only basic changes to “selectors,” Ormandy’s old proof-of-concept exploit worked on the new Keeper plugin. Ormandy’s post linked to this publicly available proof-of-concept exploit, which steals an end user’s Twitter password if it’s stored in the Keeper app and the plugin is enabled. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user followed Keeper prompts to install the browser plugin. The developer on Friday fixed the flaw in the just-released version 11.4 by removing the vulnerable “add to existing” functionality. The fix came 24 hours after Ormandy privately reported the flaw to Keeper.

Fortunately, Windows 10 users wouldn’t have been vulnerable unless they opened Keeper, trusted it with their passwords, and followed prompts to install the browser plugin. If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first. Microsoft officials declined to say what testing it gives to third-party apps before they’re pre-installed, and by some accounts these apps are repeatedly reinstalled against users’ wishes even after being uninstalled. Microsoft representatives also declined to say what conditions caused Windows 10 computers to install the app.

In a statement, the representatives wrote: “We are aware of the report about this third-party app, and the developer is providing updates to protect customers.”

While Ormandy reported Keeper was installed on a virtual machine created from a version of Windows intended for developers, people participating in the above-linked Reddit discussion reported Keeper was also installed on laptops, in one case right after it was taken out of the box and in another after it had been wiped clean and had Windows reinstalled. A third person reported Keeper being installed on a virtual machine created with Windows 10 Pro.

It’s possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway. It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software. Microsoft should provide an explanation how this happened and explain the precise conditions under which Keeper and other apps do and don’t get installed.

This post, including the headline, was updated to add comment from Keeper and Microsoft and to reflect details about the vulnerability and the Windows 10 versions reported to receive automatic installs. It was later edited to remove characterization the Keeper was forced on some Windows 10 users and to clarify the amount of time the prebundled version was vulnerable and the role of the browser plugin.