With Windows 10 Anniversary Update (version 1607), Microsoft presented its loyal users with an unwanted gift: a new feature called Content Delivery Manager that silently installs “suggested apps” on systems, without informing the users or seeking their permission.

Keeper, a password manager app, is one such app that was installed on users’ systems without their consent. Not only was Microsoft silently installing this app on existing systems, it also bundled the app with the latest image of Windows 10.

Keeper has a known vulnerability that allows an attacker to steal passwords and credentials remotely. The vulnerability was discovered by a Google Project Zero researcher, Tavis Ormandy, who called it “a complete compromise of Keeper security, allowing any website to steal any password.” Ormandy discovered a bug in Keeper some 16 months ago that posed the same threat.

In response to Ormandy’s report, Craig Lurey of Keeper Security said, “This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension.”

Keeper Security resolved the problem by removing the “Add to Existing” flow and assured customers that it has taken additional steps to prevent this potential vulnerability in the future.