Google Project Zero’s Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10.

On Friday, Ormandy dropped the bug, not in Windows but in the third-party Keeper password manager. He wrote: “I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages (issue 917). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.“

The detail of the bug’s operation is in the older issue he linked. By injecting its trusted UI into untrusted processes, it allowed a malicious Web page to read the password the user was inserting from Keeper.

Very little changed in the new version, Ormandy said, and that gave him the chance to post a demo that could steal a Twitter password.

Keeper Security has issued a patch for the bug.

Posting the patch, the company noted that a victim would have to be lured to an attacker’s site, while logged into the browser extension.

Protect yourself and your business from the threat of attack, and ensure your devices are clean. Get a FREE on site, non-intrusive, deep network analysis to determine how effective your existing Cyber Security measures are.

Call us on 0345 644 2245 or click here to fill in our enquiry form and a member of the team will be in touch.