Google Project Zero researcher Tavis Ormandy discovered a password manager dubbed “Keeper” that comes pre-installed by default with a vulnerability in new Windows 10 Anniversary Update (Version 1607).
Ormandy published the findings on Friday on how the Keeper vulnerability could result in a “complete compromise of Keeper security.”
The vulnerability is related to a flaw in the Keeper browser extension update. According to a Keeper security update, the flaw could allow a Keeper user to be lured to a malicious website while logged into the browser extension, which could then allow the website to steal the user’s password remotely.
Keeper has fixed the issue shortly after the bug was disclosed in recent browser extension update 11.4.4.
All users should have already received the update via web browser extension update process, if they are running Keeper’s browser extension on Edge, Chrome and Firefox.
Safari users will need to download and update 11.4.4 manually.
No reports of any customers affected by the vulnerability have been reported to Keeper.