Windows 10 automatically installed insecure password manager for a week

For about a week, Microsoft installed a password manager in Windows 10 for certain users whose Chrome plug-in could pass on all stored data to a rogue website due to a vulnerability. The vulnerability has now been fixed.

The app in question is Keeper and is not developed by Microsoft itself. This app’s browser plug-in contains a vulnerability that allows malicious websites to use plug-in interface elements in web pages to request a username and password. The security hole had existed in Keeper for 16 months and Google security researcher Tavis Ormandy managed to exploit this vulnerability on the then latest version of the app and plug-in with some minor adjustments. He writes that in his report of the problem on December 14. He states it is a “complete threat to Keeper’s security.” “Any website can steal any password.”

Users were not at risk unless they actually started using Keeper and used the browser plug-in for Chrome. Meanwhile, on Friday the 15th, the developer gave the plugin an update. Keeper denies that it involved the same vulnerability as the one from 16 months ago. That is what the company tells Ars Technica.

Microsoft does not want to tell Ars what kind of process determines whether Keeper is installed or not. It seems that this is done automatically based on an estimate of the user’s interest in the application. There are even reports that the application can appear immediately after a clean installation of Windows 10. It is unknown what security tests a third-party Windows Store application must pass before it is eligible for automatic installation. Keeper has been in the news before for vulnerabilities in its product.