Critical flaw patched in Windows’ bundled password manager

The devs behind Keeper password manager, which now comes bundled with Windows 10, have patched a critical security vulnerability that could enable attackers to steal user credentials.

The flaw was spotted by Google security researcher Tavis Ormandy, who flagged a similar bug with Keeper Security last year and managed to reproduce the same attack following some minor modifications.

“I remember filing a bug a while ago about how they were injecting privileged UI into pages,” Ormandy said in a blog post. “I checked, and they’re doing the same thing again with this version.”

While the developers said the potential vulnerability would require a Keeper user to be lured to a malicious website while logged into the browser extension, Ormandy provided a simple proof-of-concept exploit that demonstrated the theft of a Twitter password:

“This is a complete compromise of Keeper security, allowing any website to steal any password,” he said.

The Keeper team patched the flaw within 24 hours, and said there have been no reports of any customers being affected by the bug.

“All customers running Keeper’s browser extension on Edge, Chrome, and Firefox have already received Version 11.4.4 through their respective web browser extension update process,” the company said.

“Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously. The security and protection of customer information and data is our top priority at Keeper.”