The risk of losing all passwords is due to the built-in password management tool on Windows 10
An attacker can use Keeper to steal all the passwords stored here.
Since Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager, silently installing recommended apps without user permission.
Posted on Chromium Blog, researcher Tavis Ormandy from the Google Project Zero project said that on Windows 10 machines downloaded directly from his Microsoft Developer Network installed a password management tool called Keeper.
Tavis is also not the only one, there are some users on Reddit saying that this Keeper Password Manager password management application has been silently installed on their computers 6 months ago.
Serious vulnerability on password management software
Knowing that 3rd party password management software is installed by default on Windows 10, Ormandy has tested it and discovered a serious vulnerability, 'allowing to steal any password'.
An attacker can use Keeper to steal all the passwords stored here
To explain, he also launched PoC https://lock.cmpxchg8b.com/keepertest.html stealing Twitter password when keeping this password on the Keeper application.
Install update Keeper Password Manager
Ormandy reported a vulnerability to Keeper and the company released patch 11.4 to fix the problem.https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/ Keeper also said they have not seen any actual attacks. "This flaw will trick users into poisoning websites, sign in with clickjacking and execute code inside the browser," said Craig Lurey, co-founder and Keeper Secutiry's CTO.
Although Windows 10 users will not be exposed to any risk without opening this software, Microsoft still needs to explain why it is installed on the machine without the user's permission.
If you want, you can tweak the registry https://github.com/WinPEGuy/OSConfig/blob/master/OSConfig%20Samples/Settings/Windows%2010/(w10)%20Content%20Delivery%20Manager%20-%20PreInstalledAppsEnabled% 20-% 20No.reg to disable the Content Delivery Manager, preventing Microsoft from installing unwanted applications on the PC.
See more:
- How to view the password, delete the saved password on Chrome
- Bitwarden password manager - Microsoft Edge's latest extension
- 25% of the 1.9 billion passwords and usernames bought on the black market are Google accounts
You should read it
- How to manage passwords on mPass Windows 10 - Secure account information
- Check the security of the password
- Can the security of a password manager be trusted?
- Use an 8-character Windows NTLM password? Congratulations, your password may be unlocked after only 2.5 hours
- How to Change Your Password in Windows 8
- 3 ways to 'force' users to change passwords periodically on Windows 10
- How to disable Windows Hello sign-in to log in with a password on Windows 10
- PassBox: Manager and create a free password for Windows 10/8/7
- Experience Keepass, impressive password manager
- Set BIOS and UEFI password to protect data on your Windows 10 computer safely
- 5 best password manager extensions for Firefox
- Microsoft uses images as passwords for Windows 8
Maybe you are interested
How to Watch Star Wars on Command Prompt NBA 2K22 Tips for Beginners How to Live in an RV Hot Bitcoin Department: Who will be the last one? Before 35 years old, still single, low salary: Don't forget to bring 25 things as luggage to 'live comfortably' with life Where does Super WiFi long-range exist?