Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a novel characteristic called Content Delivery Manager that silently installs novel "suggested apps" without yell for for users’ permission.
According to a blog post published Fri on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he establish a pre-installed famous password manager, called "Keeper," on his freshly installed Windows 10 organization which he downloaded direct from the Microsoft Developer Network.
Ormandy was non the exclusively i who noticed the Keeper Password Manager. Some Reddit users complained almost the hidden password director almost vi months ago, i of which reported Keeper beingness installed on a virtual auto created amongst Windows 10 Pro.
Critical Flaw In Keeper Password Manager
Knowing that a third-party password director forthwith comes installed yesteryear default on Windows 10, Ormandy started testing the software together with took no longer to detect a critical vulnerability that leads to "complete compromise of Keeper security, allowing whatever website to pocket whatever password."
"I don't desire to take away heed almost how fifty-fifty a password director amongst a petty remote root that shares all your passwords amongst every website is amend than nothing. People actually say me this," Ormandy tweeted.
The safety vulnerability inward the Keeper Password Manager was almost identical to the i Ormandy discovered together with reported inward the non-bundled version of the same Keeper plugin inward August 2016 that enabled malicious websites to pocket passwords.
"I checked and, they're doing the same matter in i trial again amongst this version. I intend I'm beingness generous considering this a novel number that qualifies for a xc twenty-four hr menstruation disclosure, every bit I literally only changed the selectors together with the same assail works," Ormandy said.
To explicate the severity of the bug, Ormandy also provided a working proof-of-concept (PoC) exploit that steals a user's Twitter password if it is stored inward the Keeper app.
Install Updated Keeper Password Manager
Ormandy reported the vulnerability to the Keeper developers, who acknowledged the number together with released a cook inward the just Keeper password manager together with enable the software to shop their passwords.
However, Microsoft withal needs to explicate how the Keeper password director gets installed on the users' computers without their knowledge.
Meanwhile, users tin role this registry tweak to disable Content Delivery Manager inward gild to forestall Microsoft from installing unwanted apps silently on their PCs.
