Microsoft bundled a password manager into Windows 10 with a critical security bug

As revealed by the researcher to Microsoft, the flaw was essentially a browser plugin bug that could enable malicious websites to steal passwords.


Microsoft has been bundling a third-party password manager with new installation files of its Windows 10 operating system. A security researcher has now discovered that the third-party software comes with a critical security bug.

Microsoft bundled a password manager into Windows 10 with a critical security bug

Microsoft Windows 10.

As per a report by Engadget, it was Google's Project Zero researcher Tavis Ormandy who discovered the flaw and disclosed it to Microsoft. The flaw was essentially a browser plugin bug that could enable malicious websites to steal passwords. To demonstrate how easy it is to steal passwords with the plugin installed, Ormandy linked to a working demo of the bug stealing a user's Twitter password.

Ormandy explained in his disclosure post, "I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and they're doing the same thing again with this version. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password."

A Microsoft spokesperson responded to ArsTechnica in a report stating the Keeper team had come up with a patch that fixes the problem, 24-hours after Ormandy had brought the bug to its notice. Microsoft attempted to reassure its users by stating that the bug should not be any consequence if the software is up to date, but did not respond to why it failed to catch the bug in its security tests before it was bundled with Windows 10.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.