Microsoft has indirectly confirmed that a third-party app could’ve compromised Windows 10 users’ passwords. Google researcher Tavis Ormandy, discovered that Windows 10 image included a pre-installed third-party password manager app called Keeper. The app was found to come with a massive security loop, using which the website could ‘steal’ passwords, as reported by the Engadget website.
It has been reported that while Ormandy’s copy was an MDSN image for developers, some Reddit users confirmed the claim saying that they received the vulnerable copy of the app after clean reinstalls of regular copies. As mentioned by Ars Technica, Keeper spokesperson confirmed the news. The issue was only inside the version 11 of the app, which came out on December 6. The developer, however, fixed the flaw last week as a part of the app version 11.4. The fix reportedly arrived 24-hours after Ormandy privately reported it to Keeper.
Although the issue has been patched, it still questions the authenticity of the third-party apps that come installed in Windows 10. It is worth adding that if Windows 10 users have not yet opened the Keeper app and followed the instructions, they have nothing to worry about.
Ars Technica adds that Microsoft officials did not talk about what all tests they carry before making a third-party app pre-installed in the Windows 10 OS. They also did not comment on the cases when the Keeper app was re-installed against users wishes even after uninstalling it.
Last month, an AFP report, citing Microsoft CEO Staya Nadella, mentioned that Windows 10 is actively running on some 600 million devices worldwide. Nadella announced this figure at the company’s annual shareholder meeting.
Although 600 million is a huge figure, it was reportedly way behind company’s initial target of a billion devices that was to be touched by 2018.