Windows 10 自動安裝 Keeper 產生安全漏洞,然後 Keeper 決定告記者...

Ars Technica 報導了 Windows 10 自動安裝了 Keeper 這個密碼管理程式,然後這個管理程式被 Tavis Ormandy 發現有安全漏洞,可以讓惡意網站直接存取密碼 (參考「keeper: privileged ui injected into pages (again)」):「For 8 days Windows bundled a password manager with a critical plugin flaw」。

發現漏洞的作者在 16 個月前有抓到 Keeper 的漏洞 (參考「Keeper: Trusted UI is injected into untrusted webpage」),於是他就拿同樣的方法打一打,結果就爆了:

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

漏洞後來被修正了,但是 Keeper 也對 Ars Technica 的記者提告:「Security firm Keeper sues news reporter over vulnerability story」。

Keeper said in its lawsuit that Goodin and his employer, tech site Ars Technica, also named as defendant, "made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords."

這樣就清楚知道 Keeper 這家公司的調性了,之後看到他們家的東西要小心。