I was reading Tweets when I noticed the following post:
I don't want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. People really tell me this. ?
— Tavis Ormandy (@taviso) December 15, 2017
Some Windows 10 versions come with a pre-installed 3rd-party password manager app that could allow hackers to steal users credentials remotely.
Starting from Windows 10 Anniversary Update (Version 1607), Microsoft included in its OS a new feature called Content Delivery Manager that silently installs new “suggested apps” without notifying it to the users.
The hidden password manage was reported months ago by several Reddit users.
The presence of the password manager called Keeper was confirmed by the popular Google Project Zero hacker Tavis Ormandy who found the application pre-installed on his new Windows 10 system.
“I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this: https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
I assume this is some bundling deal with Microsoft.” wrote Ormandy in a blog post published on Chromium Blog.
“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works”
Ormandy decided to analyze the Keeper password manager searching for vulnerabilities to exploit to compromise the Windows installation.
After a few tests, Ormandy discovered a critical vulnerability in the Keeper Password Manager that could be exploited by attackers to “complete compromise of Keeper security, allowing any website to steal any password.”
The security vulnerability was quite identical to another issue discovered in August 2016 by Ormandy in the non-bundled version of the Keeper plugin that allowed malicious websites to steal passwords.
Ormandy also published proof-of-concept (PoC) exploit code that steals a user’s Twitter password if it is stored in the Keeper app.
Windows 10 users wouldn’t be affected unless they open Keeper password manager and enable the software to store their passwords.
Ormandy reported the flaw to the Keeper development team that addressed it in the released version 11.4.
Keeper declared it has not news of attacks exploiting the security vulnerability in the wild.
There is anyway a thing that the great Ormandy hasn’t discovered … why the Keeper password manager was pre-installed without users’ knowledge.
To disable the Content Delivery Manager it is possible to use these registry settings.
(Security Affairs – Keeper password manager, Windows 10)