Microsoft Edge Stores Passwords In Plaintext In RAM (pcmag.com) 12
Longtime Slashdot reader UnknowingFool writes: Security researcher Tom Joran Sonstebyseter Ronning has found that Microsoft Edge stores passwords in plaintext in RAM. After creating a password and storing it using Edge's password manager, Ronning found that he could dump the RAM and recover his password which was stored in plaintext. Part of the issue is Edge loads all passwords to all sites upon a single verification check, even if the user was not visiting a specific site. This is very different from Chrome, which only loads passwords for specific websites when challenged for the site's password. Also, Chrome will delete the password from memory once the password has been filled. Edge does not delete the passwords from memory once they are used.
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
good thing that ActiveX plugin are not an thing an (Score:2)
good thing that ActiveX plugin are not an thing any more
Place your bets....state actor or AI slop? (Score:2)
Re:Place your bets....state actor or AI slop? (Score:4, Insightful)
I'm guessing not a state actor. They already have enough other backdoors that Microsoft already put in for them, and plaintext is just too obvious even for them.
My bet is that this is just one more example in the already giant collection demonstrating Microsoft's utter incompetence around good engineering, robust security, and properly testing products before releasing them.
My "design choices" involve... (Score:3, Funny)
... designing my workflow to avoid using this browser.
I'd love to trash Edge, but... (Score:3)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
For that matter, an attacker with that much control over your system can even get your passkeys, unless those are stored in some OS-managed secure enclave and they require user authentication in the loop (e.g. a biometric which is matched in the secure enclave, and ideally with a secure path from scanner to enclave).
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
Re: (Score:2)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Re: (Score:3)
For the "secure" model,
What immediately comes to mind is a multi-process design (which I know that Chrome does use, but not to what extent).
The ability to read/decrypt passwords would be kept in a separate process from whatever handled rendering the website and runnings its javascript (since that's the most exposed to security challenges).
The head process woul
Re: I'd love to trash Edge, but... (Score:2)
Not deleting the password from memory is where Edge ultimately exposes itself excessively compared to competition. This is what happens when you have programmers that only think in terms of a Turing machine abstraction, versus doing practical threat modeling.
Re: (Score:2)
If an attacker has enough control of your machine to dump the password database, they have enough control
Er, I meant if they have enough control to dump RAM. Thinko because what I was thinking is that if they can dump RAM they can dump your password database, too (unless user authentication is in the loop and that authentication relies on secrets not in the device).
Re: (Score:3)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Microsoft is sort of right, but in other ways very wrong. The scope of this is huge. There's a big difference between malware getting my Slashdot password when I log into Slashdot, and malware getting my ban
Microsoft part right, part wrong (Score:2)
Yes you'd need malware to dump contents of the RAM in order to extract the passwords, but this is a vector none the less. Microsoft made a lot of noise in the past about secure credential management, using Windows Hello for authentication and password managers meaning you are immune from any key loggers attempting to get at your data. Also there's a difference between exploiting one password and exploiting ALL passwords. Logging into Slashdot shouldn't expose someone's banking password for example.
That said
Security is a philosophy (Score:2)
Big Picture (Score:2)
Sure. One machine is compromised, in the MS engineers' heads.
The trouble is now there is a standardized, repeatable location and methodology that can be used to now get ALL the passwords ever typed into edge. Suddenly the text file sitting on my desktop named nextcomputerbuild.txt is a significantly less likely to be directly targeted by bad actors.
They need to think through - yup machine is hosed. Oh well...should have had better antivirus.... and eventually get to the point of realizing ermagerd now my