It all begins with Windows 10 Anniversary Update (Version 1607). With this version, Redmond lovingly decided to whack in a new “feature” named Content Delivery Manager that knows what’s best for you. It decides to silently install new apps it thinks you’d just love. It does this without even asking the user, let alone getting permission.
Even worse, this hidden password manager was found months ago by keen eyed redditors.
Google Project Zero hacker Tavis Ormandy initially made the discovery:
“I recently created a fresh Windows 10 VM with a pristine image from MSDN and found that a password manager called 'Keeper' is now installed by default. I’m not the only person that noticed this, I assume this is some building deal with Microsoft.”
Ormandy noted in a blog post publishing on Chromium Blog.
“I remember filing a bug report a while ago about how they were injecting privileged UI into pages. I checked and they’re doing the same thing again with this version. I think I’m being generous considering this is a new issue that qualifies for a ninety day disclose, as I literally just changed the selectors and the same attack works”
Ormandy chose to examine the Keeper password manager searching for vulnerabilities to exploit to compromise the Windows install. Very quickly, he discovered a critical vulnerability that would allow an attacker to steal any password. This was almost identical to another issue he found in August 2016.
To prove it worked, Ormandy published a proof of concept exploit code I won’t link to that would steal a user’s Twitter password if it’s stored in the Keeper application. Obviously, users wouldn’t be impacted if they didn’t use the app to store their passwords.
If you don’t like the idea of Windows silently installing apps without your permission, you can disable it with a quick hack of the registry. Pop this code in:
Windows Registry Editor Version 5.00
;0 = No Disable
;1 = Yes Enable (Default)
NB: This is just a managed hosting company’s blog. We’re not security experts. Caveat emptor and all that