tech2 News Staff Dec 17, 2017 16:13 PM IST
Microsoft has been bundling a third-party password manager with new installation files of its Windows 10 operating system. A security researcher has now discovered that the third-party software comes with a critical security bug.
As per a report by Engadget, it was Google's Project Zero researcher Tavis Ormandy who discovered the flaw and disclosed it to Microsoft. The flaw was essentially a browser plugin bug that could enable malicious websites to steal passwords. To demonstrate how easy it is to steal passwords with the plugin installed, Ormandy linked to a working demo of the bug stealing a user's Twitter password.
Ormandy explained in his disclosure post, "I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages. I checked and they're doing the same thing again with this version. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password."
A Microsoft spokesperson responded to ArsTechnica in a report stating the Keeper team had come up with a patch that fixes the problem, 24-hours after Ormandy had brought the bug to its notice. Microsoft attempted to reassure its users by stating that the bug should not be any consequence if the software is up to date, but did not respond to why it failed to catch the bug in its security tests before it was bundled with Windows 10.
Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.