Knowing that a third-party password manager now comes installed by default on Windows 10, Ormandy started testing the software and took no longer to discover a critical vulnerability that leads to "complete compromise of Keeper security, allowing any website to steal any password." "I don't want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. The security vulnerability in the Keeper Password Manager was almost identical to the one Ormandy discovered and reported in the non-bundled version of the same Keeper plugin in August 2016 that enabled malicious websites to steal passwords."I checked and, they're doing the same thing again with this version.A publicly exposed API, called v B_Library_Template's cache Templates() function, allows fetching information on a set of given templates from the database to store them inside a cache variable.Besides technical details, the advisory also includes Proof-of-Concept (Po C) exploit code to explain the severity of this vulnerability.
Beyond Security claims, it tried to contact v Bulletin since November 21, 2017, but received no response from the company.
I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works," Ormandy said.
To explain the severity of the bug, Ormandy also provided a working proof-of-concept (Po C) exploit that steals a user's Twitter password if it is stored in the Keeper app.
Security researchers have uncovered another nasty piece of malware designed specifically to target industrial control systems (ICS) with a potential to cause health and life-threatening accidents.
Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected.