Google Project Zero’s Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.
On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“
The detail of the bug’s operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.
Source: The Register