A huge security flaw in Windows 10 that could have allowed hackers to steal the passwords of thousands of users worldwide has been found.

For around eight days this month, some versions of the operating system shipped with a password manager with a massive security flaw, an analyst has revealed.

The bug meant cybercriminals could easily take the passwords stored in the third-party app and use them to break into people's online accounts, according to the Daily Mail.

Google researcher Tavis Ormandy said that when he tested the app, the browser plugin it asked him to enable contained a serious security bug.

Advertisement

The bug represented "a complete compromise of Keeper security, allowing any website to steal any password", the software analyst wrote in a blog post.

The bug meant that hackers could trick the browser extension into letting them see the database of passwords stored by a user.

Ormandy, who is based in California, added that he uncovered a similar flaw in the password manager's browser plugin non-bundled version 16 months ago.

A Keeper spokesperson has since claimed the bug was different to the one Mr Ormandy found last year.

They said the flaw only affected version 11 of the Keeper app, which was released on December 6, and that the problem was fixed eight days later.

Users were only exposed when they followed Keeper app prompts to install the browser plugin, the spokesperson said.

"Yesterday (Dec 14), Tavis Ormandy (a highly-respected security researcher at Google) contacted us about a potential vulnerability in our browser extension update," the spokesperson said.

"This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension.

Advertisement

"From the time we were notified of this issue, we resolved it and issued an automatic extension update to our customers within 24 hours.

"No reports of any customers affected by this bug have been reported to Keeper."

The defective version of "Keeper Password Manager" came pre-installed on newly built Windows 10 systems derived directly from the Microsoft Developer Network.

But users on Reddit have reported that the software has also recently begun to appear on personal versions of the operating system.

User ToppestOfDogs said: "I just reinstalled Windows 10 today, and I was uninstalling all the bundled apps like usual, and I noticed that Keeper Password Manager is preinstalled now. I've never seen this come installed with Windows before.

"And this isn't a link to install it like some of the other apps, it's actually installed and opens."

Microsoft has declined to comment.