I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

https://lock.cmpxchg8b.com/keepertest.html

Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

	Windows 7-2017-12-13-16-13-38.png 24.4 KB View Download

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (  issue 917  ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

https://lock.cmpxchg8b.com/keepertest.html

Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

	Windows 7-2017-12-13-16-33-37.png 43.2 KB View Download

I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:

https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (   issue 917   ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:

https://lock.cmpxchg8b.com/keepertest.html

Please consider adding regression tests before releasing an update for this issue.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 

	Windows 7-2017-12-13-16-33-37.png 43.2 KB View Download