Windows 10 password manager bug is hiding good news

Google Project Zero researcher Tavis Ormandy has spotted a flaw in the Keeper browser password manager extension, which Microsoft recently started bundling with developer builds of Windows 10.

It doesn’t sound like good news, and in one important respect it isn’t – the existence of a security flaw is never better than no security flaw.

Peer a bit harder, though, and out of the gloom you might spot a surprising good news story worth paying attention to if you’re a Windows 10 user.

More on that later, but first the vulnerability itself, which is severe enough to allow a malicious website to steal any password accessed by the Keeper browser extension version 11.3 (including for people who downloaded it independently of Windows 10), introduced on 8 December.

Ormandy said he’d encountered almost the same flaw in the (then unbundled) product in August 2016. Putting Keeper on notice of Project Zero’s 90-day disclosure-and-fix deadline, Ormandy wrote:

I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

But, let’s give credit to Keeper’s developers for quickly jumping on the issue:

From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.

Anyone running Keeper on Edge, Chrome or Firefox would automatically have received the updated version 11.4.4 or newer through the extension updating process.

Safari users should update manually by visiting a download page. Mobile and desktop versions are not affected by the flaw.

It would be easy to berate Microsoft over a flaw in a piece of software bundled with Windows, whether those downloading it were aware of its existence, but let’s dig deeper into the issues in play.

First, the software was part of a Windows 10 build downloaded from the Microsoft Developers Network (MSDN), a repository used by software professionals to test out beta Windows builds, and not Windows users at large.

They’d also have to be active users of the Keeper browser extension – just having the software wouldn’t expose anyone.

The thorny issue, then, is whether bundling security software is a good idea in the first place.

Microsoft has bundled software it deems might be helpful since the beginnings of Windows, although rarely from branded third-parties. Doing so implies some kind of security check has been carried out on the program.

It’s not clear whether this was done in this case, but even if it wasn’t its inclusion does at least signal that Microsoft is thinking about including password management with future versions of Windows 10.

If so, this is good news. While the flaw reminds us that password managers are not infallible, they are surely better than no password manager at all. They improve password strength, reduce the likelihood that passwords are reused, and integrate multi-factor authentication.

Including even a basic password manager in Windows 10 or Edge would help boost uptake, a positive step.

Ironically, this flaw might not even have been noticed in time had it not been bundled by MSDN first.

So, let’s thank Ormandy for spotting a potentially serious flaw, but also praise Microsoft, however clumsily, for broaching the important issue of how users should be securing passwords.