For almost two weeks, Microsoft quietly forced some Windows 10 computers to install a password manager with a browser plugin that contained a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday.
Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a bug that represents “a complete compromise of Keeper security, allowing any website to steal any password.” He said he uncovered a flaw in the non-bundled version of the Keeper browser plugin 16 months ago that posed the same threat.
With only basic changes to “selectors,” the old proof-of-concept exploit worked on the version installed without notice or permission on his Windows 10 system. Ormandy’s post linked to this publicly available proof-of-concept exploit, which steals an end user’s Twitter password if it’s stored in the Keeper app. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user had the accompanying browser plugin installed. The developer has fixed the flaw in the just-released version 11.4 by removing the vulnerable “add to existing” functionality.
Fortunately, Windows 10 users wouldn’t have been vulnerable unless they opened Keeper, trusted it with their passwords, and used the browser plugin. If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago. Microsoft officials declined to say what testing it gives to third-party apps before they’re pre-installed, and by some accounts these apps are repeatedly reinstalled against users’ wishes on end users’ computers. The representatives also declined to say what conditions caused Windows 10 computers to install the app.
In a statement, the representatives wrote: “We are aware of the report about this third-party app, and the developer is providing updates to protect customers.”
While Ormandy reported Keeper was installed on a virtual machine created from a version of Windows intended for developers, people participating in the Reddit discussion reported Keeper was also installed on laptops, in one case right after it was taken out of the box and in another after it had been wiped clean and had Windows reinstalled. A third person reported Keeper being installed on a virtual machine created with Windows 10 Pro.
It’s possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway. It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software. Microsoft should provide an explanation how this happened and explain the precise conditions under which Keeper and other apps do and don’t get installed.
This post, including the headline, was updated to add comment from Keeper and Microsoft and to reflect details about the vulnerability and the Windows 10 versions reported to receive automatic installs.