STE WILLIAMS

Google Project Zero’s Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.

On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“

The detail of the bug’s operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn’t take long to find a critical vulnerability. https://t.co/dbkznucgLm

— Tavis Ormandy (@taviso) December 15, 2017

Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.

Keeper Security has issued a patch for the bug.

Posting the patch, the company noted that a victim would have to be lured to an attacker’s site, while logged into the browser extension. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/18/windows_10_bundles_vuln/