Windows 10 Bundled a Password Manager with a Security Flaw

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.
The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.

Branding

[Memnos]

So.. rename it "Giver"?

Flaw? You mean...

[b0s0z0ku]

Flaw? You mean "backdoor", created at the behest of one or more intelligence agencies?

AI is right around the corder...

[110010001000]

....but we still can't write small password keeper programs correctly yet. But somehow AI is going to happen.

Re:Are some of these intentional?

[Rosco+P.+Coltrane]

Seems to me that a lot of these types of breaches may be intentional due to pressure from agencies who want the ability to spy on users and don't care what the repercussions are. Patch published breaches and create another one when things quiet down.

Hanlon's razor applies here: never attribute to malice that which is adequately explained by stupidity. In the case of Microsoft, there's plenty of stupidity to go around: when it comes to security and bugginess, they couldn't code their way out of wet paperbag - and haven't been able to in 42 years.

Somebody's gotta say it..

[LVSlushdat]

Windows 10 IS IN ITSELF a MAJOR security flaw... I think its too precious to call out one tiny piece of Windows 10 and complain about its security flaw.... Of course I will be ruthlessly downmodded by the Windows astroturfing squad... Do your worst, as MOST of us with half a clue know I'm right...

Trusting Microsoft is your first mistake

[LeftCoastThinker]

Trusting Microsoft was your first mistake. I don't trust those idiots to do anything. I wait years between upgrading Windows OS (no choice but to use MS due to critical software). I was on XP for years, finally upgraded to 7. I have no intention of going to Windows 10 until security updates for Windows 7 expire. I worry that with the update treadmill of Windows 10, it may turn out to be a perpetual bug cluster F*** since they can always just push out a new patch to fix what they broke in the last one.

The most secure way to store your passwords is on a piece of paper next to your computer. For added security, abbreviate the parts of the password with a reminder rather than the actual part, so that only you can decode the reminder and create the actual password. The odds of someone breaking into your house, being interested in your password list and further figuring out you password hints to reconstruct your actual password are so minuscule as to be essentially zero. The odds of some organization that you use being hacked and compromising your information or login and password are far more likely.

Until we start taking hacking more seriously: criminal charges for negligent security at corporations (i.e. not using best practices) and heavy corporate fines on a per victim level, and life sentences with no parole, etc. for hackers and black bagging non-extradition offenders (or just blocking/blacklisting non-extradition/bad actor countries), the hacking epidemic will continue to grow.