Google Project Zero researcher Tavis Ormandy has spotted a flaw in the Keeper browser password manager extension, which Microsoft recently started bundling with developer builds of Windows 10.
It doesn’t sound like good news, and in one important respect it isn’t – the existence of a security flaw is never better than no security flaw.
Peer a bit harder, though, and out of the gloom you might spot a surprising good news story worth paying attention to if you’re a Windows 10 user.
More on that later, but first the vulnerability itself, which is severe enough to allow a malicious website to steal any password accessed by the Keeper browser extension version 11.3 (including for people who downloaded it independently of Windows 10), introduced on 8 December.
Ormandy said he’d encountered almost the same flaw in the (then unbundled) product in August 2016. Putting Keeper on notice of Project Zero’s 90-day disclosure-and-fix deadline, Ormandy wrote:
I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
But, let’s give credit to Keeper’s developers for quickly jumping on the issue:
From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.
Anyone running Keeper on Edge, Chrome or Firefox would automatically have received the updated version 11.4.4 or newer through the extension updating process.
Safari users should update manually by visiting a download page. Mobile and desktop versions are not affected by the flaw.
It would be easy to berate Microsoft over a flaw in a piece of software bundled with Windows, whether those downloading it were aware of its existence, but let’s dig deeper into the issues in play.
First, the software was part of a Windows 10 build downloaded from the Microsoft Developers Network (MSDN), a repository used by software professionals to test out beta Windows builds, and not Windows users at large.
They’d also have to be active users of the Keeper browser extension – just having the software wouldn’t expose anyone.
The thorny issue, then, is whether bundling security software is a good idea in the first place.
Microsoft has bundled software it deems might be helpful since the beginnings of Windows, although rarely from branded third-parties. Doing so implies some kind of security check has been carried out on the program.
It’s not clear whether this was done in this case, but even if it wasn’t its inclusion does at least signal that Microsoft is thinking about including password management with future versions of Windows 10.
If so, this is good news. While the flaw reminds us that password managers are not infallible, they are surely better than no password manager at all. They improve password strength, reduce the likelihood that passwords are reused, and integrate multi-factor authentication.
Including even a basic password manager in Windows 10 or Edge would help boost uptake, a positive step.
Ironically, this flaw might not even have been noticed in time had it not been bundled by MSDN first.
So, let’s thank Ormandy for spotting a potentially serious flaw, but also praise Microsoft, however clumsily, for broaching the important issue of how users should be securing passwords.
xreppa
How to say, i’ve a brain, i know how to use it… don’t need to put all my password in an External system … no password stored = no hack …. simple and efficient …
If people are so dumb that they can’t remember password or securise their own data, maybe they’re a real question to ask ??? why people has no education, no common sens… it’s to easy to say : “What i was hacked … it’s microsoft fault ! for sure” … no that’s your, why did you store password in your system, while you put a small paper on a webcam to hide it …
Mark Stockley
Microsoft Research has shown that users need to maintain about 25 passwords each, on average. Creating and remembering 25 strong passwords is beyond most of us. It isn’t dumb to be unable to remember 25 different, random collections of 14 characters or more, it’s biology.
What is dumb is persisting, in the face of decades or real world experience and some very good research, in asking users to do something that is demonstrably beyond them and demonstrably harms security, and then insulting them when they can’t.
Anon E. Mouse
I have to agree Mark.
I have my own system as I not only subscribe to MSDN but participate in other Beta testing groups (both Windows and Linux products), several forums, email accounts, and software/computer passwords to remember.I do recall most of them but the occasional “Brain Fart” may leave without access.
As an “Average” user with enough IT experience I feel I can contribute to other Average Joes and Janes having a somewhat better system (or product) on their desktops. (I also think more users should get involved as I have seen many useful ideas (contributions) made by everyday users in my time, but that is a different story).
Even before I retired nine years ago software Beta testing became more of a user experience as companies downsized and laid off dedicated teams of testers. It seems to have become the Users ***responsibility*** to submit flaws in software. The only way new software gets out seems to as nothing more than Beta releases, quickly jumped on by users, then becoming stable products. It is now the way is, even with products from the big boys, IBM, MSofoft, Google, Facebook… Companies with enough resources to know better.
Anonymous
Sounds like you are using the same short and easily memorizable password everywhere.
Anon
I think the real lesson to learn here is “Never user browser extensions for password managers”. Yes they can be convenient but almost all vulnerabilities in password management systems have to do with the browser extensions exposing the credentials. Don’t use browser extensions and you most likely won’t have any issue.
Mark Stockley
I think this is a case of security nihilism. Reused passwords, stolen in data breaches, are abused constantly. Password manager bugs that allow the extraction of passwords are bad, and they’re eye-catching, but I’ve not yet seen a case of a password manager bug being exploited in the wild. I’m not excusing password manager bugs, or saying they aren’t serious, but if we could get everyone who reuses passwords to switch to using password managers, even ones that occasionally exhibit serious flaws, we’d fix a massive problem. Sure, we’d replace it with another problem, but that problem is far smaller.
Max
I think what he is saying is, use a password manager, but don’t use a browser extension with it (or don’t use a password manager that is a browser extension). I would agree to the extend that: Standalone PW manager > Browser extension PW manager > no PW manager.
Tony Gore
Between a rock and a hard place –
1) with hundreds of things I need passwords for, can’t sensibly remember them all – especially the ones only used once a year.
2) Browsers (/extensions) – at the mercy of security as they are clearly top hacking targets
3) Password Managers – all have their foibles, work cross platform, but again are high value targets
Laurence Marks
> Microsoft has bundled software it deems might be helpful since the beginnings of Windows, although rarely from branded third-parties.
Isn’t Windows Defender really your competitor, Giant Software?
> Doing so implies some kind of security check has been carried out on the program.
I sure hope they tested Defender well before deciding to include it.