Beware Of Windows 10’s Insecure Password Manager.
A flaw in the software's browser plugin allowed malicious websites to steal user passwords.
A Google Project Zero researcher, Tavis Ormandy, has revealed that Microsoft has begun to incorporate a third-party password manager with some versions of Windows 10 that has a critical security bleach.
Ormandy downloaded a Windows 10 OS image directly from the Microsoft Developer Network which came pre-installed with keeper Password Manager. He discovered the flaw in the Operating System after installing the image on a virtual machine.
He claims the third-party software prompted him to install a browser plugin containing a flaw that would make it possible for malicious websites to steal user passwords as he put it on his blog post.
“This is a complete compromise of Keeper security, allowing any website to steal any password.”
“Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password: https://lock.cmpxchg8b.com/keepertest.html . We discussed possible fixes, it sounds like they're just going to disable the feature for now."
The Keeper team has since patched the exploit (disabled the feature for now) and users with updated software should not be affected unless they enabled the browser plugin.
Microsoft has often touted the improved security features of Windows 10 and its first-party apps and software undergo rigorous security tests.
But this is a sign that sometimes third-party software is not tested in-depth which is why ‘security analysts are often hesitant over manufacturers bundling other companies' software with their products’ as per itproportal.com