Windows 10 Third Party Password Manager Shipped with Vulnerability

Last Edited: December 18, 2017 | Published: December 18, 2017 by

Windows 10 Third Party Password Manager Shipped with Vulnerability

Third party software already loaded onto your machine for you before you even take it out of the box is pretty common these days. But how secure is this model? Recently, a Google researcher discovered a huge security hole in the third party app, Keeper, that is included in some of the most recent Windows 10 images.

In a blog post, Google researcher Tavis Ormandy described the flaw he found in the Keeper password manager. “I assume this is some bundling deal with Microsoft. I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (  issue 917  ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.”

It seems that the Keeper application had a pretty big hole in it that would allow a malicious website to steal your passwords from you by just visiting the site. Fortunately, this security hole was only present in version 11 of the software, and you could only fall victim to it if you actually launched Keeper and began using it as your password manager.

Microsoft, for its part, has refused to comment on the situation, other than to say, “”We are aware of the report about this third-party app, and the developer is providing updates to protect customers.”

Thankfully, Keeper patched the security flaw in less than 24 hours after the bug was first discovered, announcing the update to the software in a post on their site. “To resolve this issue, we removed the “Add to Existing” flow and have taken additional steps to prevent this potential vulnerability in the future. Even though no customers were adversely affected by this potential vulnerability, we take all reported security issues, vulnerabilities and bug reports seriously. The security and protection of customer information and data is our top priority at Keeper. From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.”

While it’s great to see the bug fixed so quickly, it does call into question the security procedures of Microsoft and all its third party software partners. We all know that Microsoft puts their software through stringent security tests before it is released, and even then security flaws and bugs are discovered. But how much testing do the third party companies do and does Microsoft even hold them to any type of security standard?

At the end of the day, if one of these third party apps that has been installed for us isn’t secure, it doesn’t matter how secure Windows is with their software. So should they be forcing this software on us when they don’t even bother to assure us that it’s safe?

What do you think? Should Microsoft stop automatically installing software on our machines that they don’t create and should other PC makers follow suit? Tell me your thoughts in the comments below.

About the author

Matt Garrett

Matt is an IT professional with over fifteen years experience supporting network infrastructure and computers. An avid gamer, Matt enjoys his time playing and writing about his experiences both in the IT world and in the gaming communities. You can find more of his writing for LaptopNinja where he enjoys talking about everything tech.

See all posts from Matt Garrett