Microsoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed.
Tavis Ormandy, a researcher for Google Project Zero, discovered a bug with Keeper a year ago that allowed any website to steal passwords from the software. When he found Keeper being bundled with Windows 10, he saw that the security problem had returned.
Ormandy even noted that he felt that he was being generous when he gave the 90-day disclosure deadline for the security issue, as it was not a new one at all. Nevertheless, Keeper quickly responded and has rolled out version 11.4, which will patch upAi??the vulnerability.
Windows 10 users who find that they downloaded Keeper as part of a bundle should not be worried that their passwords were stolen, though. The information would only have become vulnerable if they opened Keeper, trusted the software with their passwords, and went through the instructions in installing the browser add-on.
Ormandy was not the only one who noticed the Keeper Password Manager. Some Reddit users complained about the hidden password manager about six months ago, one of which reported Keeper being installed on a virtual machine created with Windows 10 Pro.
The issue now is how Microsoft allowedAi??a 16-month-old bug to slip through and be included in software that is bundled with Windows 10. In a statement, the company only said that it was aware of the security issue found in Keeper and that its developer provided the update to fix the problem.
It is unclear if Microsoft’s testing process for third-party apps, if there is one, was just unable to catch the bug or if Microsoft does not provide any assurances on the security of third-party apps bundled with Windows 10.