A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year.
"I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.
"I checked and, they're doing the same thing again with this version," the expert added, referring to the Keeper app bundled with some Windows 10 versions.
"I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password," Ormandy added.
To prove his point, the expert also created a demo page where Keeper users can see the vulnerability in action.
"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension," said Craig Lurey, co-founder and CTO of Keeper Security.
The issue affects the Keeper browser extension version 11.3. The Keeper team issued an update less than 24 hours after receiving Ormandy's report.
The new Keeper browser extension version 11.4 is now being pushed to users, said Lurey. The exec said the team disabled the problematic "Add to Existing" feature until they fix the flaw within it for good.
Lurey said the company was not aware of any attacks using this flaw, nor have customers reported any security incidents where the bug might have been to blame.
Ormandy is part of Project Zero, an elite team of security researcher working for Google. This group searches for security flaws in common tools and applications used by Google and the general public.
After finding bugs, they report all issues they discover to manufacturers for free. In most cases, vendors ship fixes right away. In the past, Project Zero researchers have focused their efforts on the antivirus industry, Microsoft, and Apple products. Earlier this week, a Project Zero researcher disclosed a flaw and released a tool that could help users jailbreak devices running iOS versions up to 11.1.2.