Stay safe from Windows 10's password manager vulnerability
We all know the fact that Microsoft likes to bundle certain third-party application directly into its operating system, but it would be nice if the IT giant would thoroughly check them first. For example, some of the latest Windows 10 builds have contained a password manager called Keeper, which because of a security flaw, allowed any website to steal the passwords stored in it. While only a few people were affected, this was still a big oversight on Microsoft's part.
Before you get too worried, Keeper wasn't bundled in every Windows 10 version out there, just in some fresh builds and in order for the flaw to actually affect you, you would have had to first activate the plugin in your browser and then actually store usernames and passwords in it. What's even better is that Microsoft has been made aware of this and the company has already rolled out a security patch to fix this problem, so the flaw was only out there for about eight days. This means that all you have to do in order to stay safe from this vulnerability is to make sure that you keep your Windows 10 up-to-date with the latest security patches.
Back to the flaw itself, it was discovered by a researcher from Google Project Zero named Tavis Ormandy. According to him, the password manager injected its trusted UI into untrusted websites, practically compromising any possible defenses against phishing attempts. This means that malicious websites could, with relative ease, gain access to the login information that you wanted to store in the manager. For a tool that's supposed to make a living from keeping its users' data safe, that's a pretty big mistake.
Unfortunately, there are even bigger concerns: firstly, the same researcher discovered a similar problem in Keeper over a year ago and after the legal 90 days, the report had become public. This means that the company that develops Keeper was already aware of this issue and either it didn't care enough or know enough off to get rid of it in the following versions. The other issue is related to Microsoft itself and the fact that it was unable to identify an already public vulnerability in a tool that it chose to bundle with its latest operating system. I know that it may seem like I'm making mountains out of molehills, but generally, the people who use bundled tools are those who don't have a lot of experience when it comes with computers and they're the ones who need the IT giant's protection the most.
While still not as bad as Apple's oversight, which allowed its latest operating system to be cracked simply by typing "root" as the username, this is still a problem for Microsoft as it damages the customers' trust in the company. Windows 10 was already considered abysmal when it came to privacy as, among other things, the OS even embeds a keylogger by default, so security scares are definitely not one of the things that the IT giants had on its Christmas list.
