Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.
He wrote: “I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“
A full description of the bug is in the older issue Ormandy linked to. It can be exploited by a malicious webpage to read an arbitrary password that would be inserted into a site's login form by Keeper's browser extension.
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm— Tavis Ormandy (@taviso) December 15, 2017
To demonstrate the flaw, Ormandy produced a proof-of-concept exploit that can steal a Twitter password from a vulnerable Keeper user.
Keeper Security has issued a patch to address the bug.
While releasing the fix, the company noted that a victim would have to be lured to an attacker's webpage while using the browser extension. ®