[German]It seems that Microsoft has bundled the Keeper password manager app within Windows 10 (Home and Pro). A security researcher found a vulnerability within the Keeper app, that allows web sites to stole passwords.
The bundles Keeper app
Microsoft ships a lot of (rubbish) preinstalled apps with Windows 10. That’s annoying, but not a real problem. But now, it seems, that Microsoft’s approach, to roll out (mostly unwanted) third party app to Windows 10 went terrible wrong. When installing Windows 10 from various Microsoft image files (the exact way this app was shipped) isn’t yet clear – I didn’t find the apps on my test systems – but some German blog reader confirmed the presence of the app) it seems, that the app Keeper was preinstalled. A user at reddit.com mentioned it also:
I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I’ve never seen this come installed with Windows before.
And this isn’t a link to install it like some of the other apps, it’s actually installed and opens.
(Keeper-Passwort-Manager in Windows 10 – Source: reddit.com)
The case has been documented with the screen shot above. At reddit.com other users reported within the thread, that the app has been shipped with Windows 10 Home and with Windows 10 Pro. I guess Windows 10 Enterprise isn’t affected. One user wrote, that he has uninstalled the app 3 times, but it got re-installed again.
The Windows 10 Content Delivery Manager
At this time it’s not clear, whether the Keeper app was included within the Windows 10 install image or if it was installed afterward. At reddit.com somebody posted a link to this article. The author of this article observed an obscure behavior during upgrading to Windows 10 Anniversary Update. He wrote:
With the Windows 10 Anniversary Update, Microsoft added a new feature to the Content Delivery Manager, a component of the OS which is also used for Windows Spotlight and app suggestions.
It now appears to silently install new apps for you without asking for any kind of confirmation.
After I spotted a few new apps after upgrading to the Anniversary Update (not immediately, a few hours later), I decided to take a closer look at this.
The article explains how to block this Content Delivery Manager using registry settings.
Keeper app with a vulnerability
Google’s security researcher Tavis Ormandy also observed after installing a fresh copy of Windows 10, that suddenly the Keeper password manager app has been installed. He has documented this on December 14, 2017 here. Tavis wrote:
I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this
[here was a link to the above linked reddit.com thread]:
I assume this is some bundling deal with Microsoft. I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Tavis remembered that Keeper have had a security problems in the past, because they are injecting privileged UI elmentes into web pages. He inspected the new Keeper password manager app, preinstalled in Windows 10, and found the same vulnerability. This is a complete compromise of Keeper security, allowing any website to steal any password. Tavis linked to the demo page keepertest, that phishes a Twitter account password.
Tavis Ormandy informed Keeper about the vulnerability, and the developers released immediately a fix (as you can read within the this Keeper blog post). Dan Goodin from Arstechnica wrote, that Windows 10 has been bundled and shipped for 8 day with this critical vulnerarbility. Due to the fact, that the Content Delivery Manager has been introduced since Anniversary Update, Woody Leonhard mentioned, that the (potential) risk occurs since 16 months.
I haven’t found the app on my test system – updated via Windows Insider program. But I haven’t downloaded MSDN ISO images yet. The question: Was somebody of you affected? I received feedback from German blog readers, who found Keeper on their Windows 10 system after upgrading to Fall Creators Update.