Huge security flaw in Windows 10 that could have allowed hackers to STEAL the passwords of thousands of users is found by a Google analyst

  • For eight days this month Windows 10 shipped with a flawed password manager
  • The 'Keeper' app contained a bug that allowed hackers to access stored logins
  • The bug meant criminals could take passwords of 1,000s of Windows 10 users

A huge security flaw in Windows 10 that could have allowed hackers to steal the passwords of thousands of users worldwide has been found.

For around eight days this month, some versions of the operating system shipped with a password manager with a massive security flaw, an analyst has revealed.

The bug meant cybercriminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts.

Scroll down for video

For around eight days this month, some versions of Windows 10 shipped with a password manager named 'Keeper' with a massive security flaw. The app asked users to enable a browser plugin (pictured) that contained a serious security bug

For around eight days this month, some versions of Windows 10 shipped with a password manager named 'Keeper' with a massive security flaw. The app asked users to enable a browser plugin (pictured) that contained a serious security bug

WERE YOU AFFECTED BY THE KEEPER BUG? 

The defective version of 'Keeper Password Manager' came pre-installed on newly built Windows 10 systems.

The bug meant that hackers could trick the browser extension into letting them see the database of passwords stored by a user. 

Google researcher Tavis Ormandy said that when he tested the app, the browser plugin it asked him to enable contained a serious security bug.

A Keeper spokesperson said the flaw only affected version 11 of the Keeper app, which was released on December 6, and that the problem was fixed eight days later.

Users were only exposed when they followed Keeper app prompts to install the browser plugin, they said.

No reports of any customers affected by this bug have been reported to Keeper. 

Advertisement

Google researcher Tavis Ormandy said that when he tested the app, the browser plugin it asked him to enable contained a serious security bug.

The bug represented 'a complete compromise of Keeper security, allowing any website to steal any password', the software analyst wrote in a blog post.

The bug meant that hackers could trick the browser extension into letting them see the database of passwords stored by a user.

Mr Ormandy, who is based in California, added that he uncovered a similar flaw in the password manager's browser plugin non-bundled version 16 months ago.

A Keeper spokesperson has since claimed the bug was different to the one Mr Ormandy found last year.

They said the flaw only affected version 11 of the Keeper app, which was released on December 6, and that the problem was fixed eight days later.

Users were only exposed when they followed Keeper app prompts to install the browser plugin, the spokesperson said.

'Yesterday (Dec 14), Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update,' the spokesperson said.

'This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension.

The bug meant cyber criminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts (stock image)

The bug meant cyber criminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts (stock image)

'From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.

'No reports of any customers affected by this bug have been reported to Keeper.' 

The defective version of 'Keeper Password Manager' came pre-installed on newly built Windows 10 systems derived directly from the Microsoft Developer Network.

But users on Reddit have reported that the software has also recently begun to appear on personal versions of the operating system.

The bug represents 'a complete compromise of Keeper security, allowing any website to steal any password', researcher Tavis Ormandy analyst wrote in a blog post. Pictured is the Keeper password manager's homepage

The bug represents 'a complete compromise of Keeper security, allowing any website to steal any password', researcher Tavis Ormandy analyst wrote in a blog post. Pictured is the Keeper password manager's homepage

User ToppestOfDogs said: 'I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I've never seen this come installed with Windows before.

'And this isn't a link to install it like some of the other apps, it's actually installed and opens.'

Microsoft has declined to comment.