Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security Privacy Windows

Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 48

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.

The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
This discussion has been archived. No new comments can be posted.

Windows 10 Bundled a Password Manager with a Security Flaw

Comments Filter:
  • by Memnos ( 937795 ) on Sunday December 17, 2017 @11:38AM (#55755355) Journal

    So.. rename it "Giver"?

  • by b0s0z0ku ( 752509 ) on Sunday December 17, 2017 @12:04PM (#55755443)
    Flaw? You mean "backdoor", created at the behest of one or more intelligence agencies?
    • Obviously a feature: https://imgur.com/gallery/bmQW... [imgur.com]
    • If it is still UN-patched one has to assume it is by design..

  • by 110010001000 ( 697113 ) on Sunday December 17, 2017 @12:08PM (#55755459) Homepage Journal
    ....but we still can't write small password keeper programs correctly yet. But somehow AI is going to happen.
    • Can't wait until the passwords to the A.I.s get leaked to anonymous image boards. That'll be a fun Dick Clark's hologram New Years.
  • by LVSlushdat ( 854194 ) on Sunday December 17, 2017 @12:16PM (#55755501)

    Windows 10 IS IN ITSELF a MAJOR security flaw... I think its too precious to call out one tiny piece of Windows 10 and complain about its security flaw.... Of course I will be ruthlessly downmodded by the Windows astroturfing squad... Do your worst, as MOST of us with half a clue know I'm right...

  • See subject line.

  • It's from Porter Industries, with fancy new headquarters in the basement of Lubyanka Square, Moscow.

    PorterPass : At least you know the NSA won't be spying on your passwords!

  • "I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.

    Looks like, keeper is installed, but the user needs to somehow "login" to keeper for this flaw to trigger. Then it injects some privileged UI into pages, it says. A malicious site can use click jack to steam password.

    Looks like, the victim should login to keeper, and then visit a malicious website. Not clear whether it is adding this privileged UI only into Edge/Internet Explorer or if it is injecting it into Chrome and Firefox as well.

    If Chrome/Firefox users are not affected, this gives one more reason

  • by LeftCoastThinker ( 4697521 ) on Sunday December 17, 2017 @01:47PM (#55755995)

    Trusting Microsoft was your first mistake. I don't trust those idiots to do anything. I wait years between upgrading Windows OS (no choice but to use MS due to critical software). I was on XP for years, finally upgraded to 7. I have no intention of going to Windows 10 until security updates for Windows 7 expire. I worry that with the update treadmill of Windows 10, it may turn out to be a perpetual bug cluster F*** since they can always just push out a new patch to fix what they broke in the last one.

    The most secure way to store your passwords is on a piece of paper next to your computer. For added security, abbreviate the parts of the password with a reminder rather than the actual part, so that only you can decode the reminder and create the actual password. The odds of someone breaking into your house, being interested in your password list and further figuring out you password hints to reconstruct your actual password are so minuscule as to be essentially zero. The odds of some organization that you use being hacked and compromising your information or login and password are far more likely.

    Until we start taking hacking more seriously: criminal charges for negligent security at corporations (i.e. not using best practices) and heavy corporate fines on a per victim level, and life sentences with no parole, etc. for hackers and black bagging non-extradition offenders (or just blocking/blacklisting non-extradition/bad actor countries), the hacking epidemic will continue to grow.

Show me a man who is a good loser and I'll show you a man who is playing golf with his boss.