We’ve talked about the issues with HP and BLU’s issues regarding unwanted software. One is distributing a telemetry app that uses a lot of resources from the end user. The other distributed smartphone malware that killed its own phone. However, what about very vulnerable security programs? Have you ever heard of the program Keeper?
A Google Security Researcher revealed that Microsoft has been bundling a password manager which features a dangerous flaw with some versions of Windows 10. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.
Now, Keeper in and off itself is a good password manager if the reviews it has gotten are anything to go by. The password manager uses 256-bit AES encryption, zero-knowledge architecture and Two-Factor Authentication. It also comes as an extension for a lot of popular web browsers such as Google Chrome, Mozilla Firefox and Safari.
However, the browser extension is the part that comes into question here. Mr. Ormandy noticed that the Windows 10 version of Keeper had the same issues and exploitative capabilities the software was exposed to since a year and a half ago.
Without that much effort and a few tweaks, Tavis soon found out that anyone with bad intentions can easily steal any and all of the passwords stored within the Keeper app. Soon, he shared the vulnerability details on Twitter to make notice of this:
I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. https://t.co/dbkznucgLm
— Tavis Ormandy (@taviso) December 15, 2017
The page Tavis is linking to leads to a Project Zero page where Tavis states the process surrounding his finding. He started a Virtual Machine and from there he pulled off the same exploit he reported a long time ago.
Now, not everything is doom and gloom in this case. Especially now that Keeper has since patched the issue out. However, this is still software that nobody has asked for and the public should be left with a choice about whether or not they install it.