Huge security flaw in Windows 10 that could have allowed hackers to STEAL the passwords of thousands of users is found by a Google analyst
- For eight days this month Windows 10 shipped with a flawed password manager
- The 'Keeper' app contained a bug that allowed hackers to access stored logins
- The bug meant criminals could take passwords of 1,000s of Windows 10 users
A huge security flaw in Windows 10 that could have allowed hackers to steal the passwords of thousands of users worldwide has been found.
For around eight days this month, some versions of the operating system shipped with a password manager with a massive security flaw, an analyst has revealed.
The bug meant cybercriminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts.
Scroll down for video
For around eight days this month, some versions of Windows 10 shipped with a password manager named 'Keeper' with a massive security flaw. The app asked users to enable a browser plugin (pictured) that contained a serious security bug
Google researcher Tavis Ormandy said that when he tested the app, the browser plugin it asked him to enable contained a serious security bug.
The bug represented 'a complete compromise of Keeper security, allowing any website to steal any password', the software analyst wrote in a blog post.
The bug meant that hackers could trick the browser extension into letting them see the database of passwords stored by a user.
Mr Ormandy, who is based in California, added that he uncovered a similar flaw in the password manager's browser plugin non-bundled version 16 months ago.
A Keeper spokesperson has since claimed the bug was different to the one Mr Ormandy found last year.
They said the flaw only affected version 11 of the Keeper app, which was released on December 6, and that the problem was fixed eight days later.
Users were only exposed when they followed Keeper app prompts to install the browser plugin, the spokesperson said.
'Yesterday (Dec 14), Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update,' the spokesperson said.
'This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension.
The bug meant cyber criminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts (stock image)
'From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.
'No reports of any customers affected by this bug have been reported to Keeper.'
The defective version of 'Keeper Password Manager' came pre-installed on newly built Windows 10 systems derived directly from the Microsoft Developer Network.
But users on Reddit have reported that the software has also recently begun to appear on personal versions of the operating system.
The bug represents 'a complete compromise of Keeper security, allowing any website to steal any password', researcher Tavis Ormandy analyst wrote in a blog post. Pictured is the Keeper password manager's homepage
User ToppestOfDogs said: 'I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I've never seen this come installed with Windows before.
'And this isn't a link to install it like some of the other apps, it's actually installed and opens.'
Microsoft has declined to comment.
Most watched News videos
- Terrifying moment driver overtakes van and narrowly avoids crash
- Sally Nugent hilariously finds out 'hedgehog' is a hat bobble
- Camilla hands out gifts at Royal Maundy ceremony on behalf of King
- Queen Camilla greets children after traditional Maundy service
- Starmer and Rayner embrace as they launch election campaign
- Three men seen running out of Beckenham station after knife attack
- British man fighting for Putin posts video from Russia online
- 'Satan took over me': Hamas terrorist confesses of raping woman
- Tourist is filmed napping in his tent on the beach with a crocodile
- Hilarious moment King's Guard shout 'make way' at pigeons in London
- Russian plane spiralling out of control crashes in sea in Crimea
- Police tape off Kennington station after 'multiple stabbings'