Microsoft Edge Stores Passwords In Plaintext In RAM (pcmag.com) 79
Longtime Slashdot reader UnknowingFool writes: Security researcher Tom Joran Sonstebyseter Ronning has found that Microsoft Edge stores passwords in plaintext in RAM. After creating a password and storing it using Edge's password manager, Ronning found that he could dump the RAM and recover his password which was stored in plaintext. Part of the issue is Edge loads all passwords to all sites upon a single verification check, even if the user was not visiting a specific site. This is very different from Chrome, which only loads passwords for specific websites when challenged for the site's password. Also, Chrome will delete the password from memory once the password has been filled. Edge does not delete the passwords from memory once they are used.
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
good thing that ActiveX plugin are not an thing an (Score:4, Insightful)
good thing that ActiveX plugin are not an thing any more
Re: (Score:2)
Place your bets....state actor or AI slop? (Score:5, Interesting)
Re:Place your bets....state actor or AI slop? (Score:5, Insightful)
I'm guessing not a state actor. They already have enough other backdoors that Microsoft already put in for them, and plaintext is just too obvious even for them.
My bet is that this is just one more example in the already giant collection demonstrating Microsoft's utter incompetence around good engineering, robust security, and properly testing products before releasing them.
Re: (Score:3)
was going to ask this same question... edge is chromium based.. would have assumed it was baked into the security architecture...
Only thing that makes some sense to me is they disabled the memory protection because widows is supposed to randomize memory addresses... (ASLR).... so a layer of security through obscurity for marginal performance gain. :/ grasping at straws here...
But after all is said and done... there are multiple ways to dump a readable password list from chrome and edge, and most browsers...
Re: (Score:2)
Have you ever bothered to read the chromium source code? It's literally just manually written C/Cpp with IF checks for what platform you are on all over the place. Giant monolithic 4000 line files all over the place. But at the end of the day they assign people who are extremely good at architecture to work on different aspects of the browser. Whatever "security architecture" you are imagining is most likely a very custom written component specifically for Chrome that has baked in special sauce for ChromeOS
Re: (Score:2)
I shit you not.
Re: (Score:2)
was going to ask this same question... edge is chromium based.. would have assumed it was baked into the security architecture...
It was. No other Chromium-based browser has this problem. Whatever reason Mickeysoft did it for, they are absolutely the ones who did it.
Re: Place your bets....state actor or AI slop? (Score:2)
I doubt it's AI slop.
Edge has been storing passwords long enough that I assume the password manager code predates AI coding.
Re:Place your bets....state actor or AI slop? (Score:4, Informative)
>> Place your bets....state actor or AI slop?
MS. is AI slop.
MS is a state actor.
Re: (Score:3)
Given that Edge is just a Chrome skin, it seems like they must have gone out of their way to remove the protection Chrome has and replace it with their own worse version.
My "design choices" involve... (Score:5, Funny)
... designing my workflow to avoid using this browser.
I'd love to trash Edge, but... (Score:5, Interesting)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
For that matter, an attacker with that much control over your system can even get your passkeys, unless those are stored in some OS-managed secure enclave and they require user authentication in the loop (e.g. a biometric which is matched in the secure enclave, and ideally with a secure path from scanner to enclave).
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
Re:I'd love to trash Edge, but... (Score:5, Insightful)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Re: (Score:2)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Nah. You just try all the bytes. It's not that many.
Re: (Score:3)
For the "secure" model,
What immediately comes to mind is a multi-process design (which I know that Chrome does use, but not to what extent).
The ability to read/decrypt passwords would be kept in a separate process from whatever handled rendering the website and runnings its javascript (since that's the most exposed to security challenges).
The head process woul
Re: (Score:2)
If you have a process that provides a service that hands out passwords, it's irrelevant whether the passwords are plaintext or ciphertext. An attacker who compromises a rendering process can only query -- but can probably query a lot. An attacker to breaches the process separation, well...
Note that this is separate from whether the on-disk database needs to be encrypted. There are additional threat vectors there.
Re:I'd love to trash Edge, but... (Score:4, Insightful)
>> An attacker who compromises a rendering process can only query
Nah. Very different threat than getting a RAM dump.
Ram dump get, for example, sent to Microslop for analysis of crashes (and storing of your passwords if you are one of the 6 users that use edge.)
Re: (Score:2)
Ram dump get, for example, sent to Microslop for analysis of crashes (and storing of your passwords if you are one of the 6 users that use edge.)
There's an absolute shitload of Edge users out there... at work. Some people, not naming any names here, are only allowed to use Edge as a password manager despite also having Chrome on their systems, and of course not having access to a password manager which is actually reasonably secure like Firefox. The "logic" behind this is that the employer has a deal (which surely won't be altered!) with Microsoft to not use their data. Yes, a pinky swear, that's the basis of the decision to hand passwords to Micros
Re: I'd love to trash Edge, but... (Score:5, Insightful)
Not deleting the password from memory is where Edge ultimately exposes itself excessively compared to competition. This is what happens when you have programmers that only think in terms of a Turing machine abstraction, versus doing practical threat modeling.
Re: (Score:2)
If an attacker has enough control of your machine to dump the password database, they have enough control
Er, I meant if they have enough control to dump RAM. Thinko because what I was thinking is that if they can dump RAM they can dump your password database, too (unless user authentication is in the loop and that authentication relies on secrets not in the device).
Re:I'd love to trash Edge, but... (Score:5, Insightful)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Microsoft is sort of right, but in other ways very wrong. The scope of this is huge. There's a big difference between malware getting my Slashdot password when I log into Slashdot, and malware getting my banking password when I log into Slashdot.
Re: (Score:3)
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Maybe I'm misunderstanding what you mean by 'auth' here, but on my PCs (Windows 10):
It does require auth for passkeys, I think every time, but not for regular saved passwords in the browser. I have Windows Hello set up for a couple passkeys and I have to auth via Hello when I use them.
But I have regular saved passwords for almost every other website I use routinely and am not prompted to auth via Hello for that. My understanding is that for these, the auth/unlock is done once at user login and then the ses
Re: (Score:2)
Chrome has a setting to require Windows Hello when filling in passwords. You can turn this option on or off.
Re: (Score:2)
Ah interesting, never seen that before! I've just turned it on to see how annoying it is.
Re: (Score:2)
It does require auth for passkeys, I think every time, but not for regular saved passwords in the browser.
Then you probably have some legacy computer setting enabled. Yes passkeys have always triggered Windows Hello auth, but on both my devices if I click on the username field and select my username (even on Slashdot which doesn't support passkeys), it brings up the familiar "Making sure that it's you" Windows Hello auth process before retrieving the password and filling it in. Applying this to password fields is something I've only seen for the past year or two.
The same applies to looking at passwords. If I op
Re: (Score:2)
Re: (Score:2)
Congrats on being a special little boy. Now if you have anything else to add to the discussion that very much affects most normal computer users, please do chime in.
Re: (Score:2)
RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.
Re: (Score:2)
It shows that for Microsoft, security is an afterthought rather than a priority, with the obvious result that Microsoft software is not secure. RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.
If Chrome has access to them without user authentication, then so does any attacker who can dump Chrome's RAM.
Re:I'd love to trash Edge, but... (Score:5, Insightful)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here
i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...
you couldn't make this shit up, brought to you by "closed proprietary sofware".
then again, decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice. it's flabbergasting. you access sensible information only when needed and dispose of it after use, and even zeroing the memory should be par for the course. this is basic hygiene in any context.
both the pretext of "efficiency" and completely disregarding "defense in depth" are just laughable, even moreso if the information is as sensible as passwords no less, and agument "incompetency" to "pathetic clown level incompetency".
Re: (Score:2)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here
i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...
There's really no irony here. TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice
It's really no different from keeping the password database encryption key in RAM, or the capability which grants access to the database encryption key (however many layers of that you want to go down) which is what you have to do if you want to be able to use the passwords on-demand without an authentication step.
Re: (Score:3)
>> TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
Nope. TPM serve to lock down Hardware so you can't install Linux easily.
Re: (Score:3)
If an attacker can only get a RAM dump, gaining the password database encrypt key doesn't matter. They can't do anything with it as they don't have the database. If that RAM dump instead contains all your passwords, that's all they need. There are times when someone can only see things in memory. An easy example of that is sending a core dump for bug reporting.
But lets also look at this from a different angle. Loading and keeping all this in memory is unnecessary memory bloat, SSD access, and processin
Re: (Score:3)
There's really no irony here. TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
making a tpm a requirement to ensure not running malicious code and then completely disregarding elemental security considerations in a component that is designed to run untrusted code ... you might not appreciate the irony or even the comicality, but do you really still don't see the contradiction? then read on ...
It's really no different from keeping the password database encryption key in RAM
the whole point of the tpm in this use case is to securely store and use that key!
you just added another hilariously failed attempt at excusing something for which there is no excuse:
- but, but,
Re: (Score:3)
There's really no irony here. TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
Completely false. Not only in your understanding, but in the reality that the TPM is actively used by other Chromium based browsers.
TPM is a trusted credential store. It has nothing to do with checking if your software hasn't been modified. It can't. The best you can do is hash your software and store that hash in the TPM and then use a userland application to verify the integrity of your software.
As for how TPM applies here, look to Chrome. When you go to pre-fill a password in Chrome it triggers a FIDO2 a
Re: (Score:3)
Been trying to figure out how Chrome does this because my recollection was that Chrome had the exact same problem - I remember making a similar point to you in forum threads a couple years back with people complaining about it then.
It looks like in 2024, Chrome added support [googleblog.com] for something called the Data Protection API (DPAPI [microsoft.com]), which provides some mitigation against arbitrary memory reads:
App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.
Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software â" and more likely to be detected
It's not clear from my quick read if this defends against this class of "attack" in all cases but it reads like it migh
Re: (Score:3)
unless the browser required authentication for every password retrieval.
It would be much safer if the browser requires authentication for each site. Generally most users are not opening new sites every second. A possible threat is the one in the summary.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
The whole point is an attacker dumping the encrypted password database does little as it is encrypted. Chrome and other password manages only decrypts one password at a time. Even if an attacker exposes that password, all the other passwords are safe.
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
To me, the Edge way is just laziness. It is also less efficient by storing eve
Re: (Score:2)
hey can dump your password database,
The password database is encrypted. At least it should be.
Re: (Score:2)
hey can dump your password database,
The password database is encrypted. At least it should be.
If the browser can decrypt it without you entering a password or doing a biometric authentication to a secure enclave, then so can an attacker who controls the browser. Encrypting the database achieves something useful against an attacker who can read the browser's files, but not against an attacker who can dump the browser's RAM.
Re: (Score:2)
If the browser can decrypt it without you entering a password or doing a biometric authentication to a secure enclave, then so can an attacker who controls the browser.
Do you even know how password managers work? All your arguments stem from your flawed understanding of how they work. This is not how they work.
Encrypting the database achieves something useful against an attacker who can read the browser's files, but not against an attacker who can dump the browser's RAM.
Did you even read the summary? Chrome and Firefox only decrypts one password at a time and then deletes the password from memory once used. Only Edge loads the entire database in memory.
Re: (Score:1)
> If an attacker has enough control of your machine...
Not a plot-twist. Microsoft is the attacker or aiding and abetting someone that is. You are evaluating the world as if rules of conduct still exist anywhere among the ruling class.
Re: (Score:2)
> If an attacker has enough control of your machine...
Not a plot-twist. Microsoft is the attacker or aiding and abetting someone that is. You are evaluating the world as if rules of conduct still exist anywhere among the ruling class.
Put the tinfoil hat down and step away...
Re: (Score:2)
Put the tinfoil hat down and step away...
Microsoft has engaged in unlawful activity time and again, it takes a special kind of idiot to believe they won't do it again.
Microsoft is a defense contractor and has been for decades, it takes a special kind of stupid to believe they won't willfully aid the same kind of evil they've been contributing to for decades.
You can choose not to be stupid about Microsoft. All it takes is a willingness to consider everything we know about them. Or, you know, anything we know about them.
Re: I'd love to trash Edge, but... (Score:2)
Agreed. A while back, I had a security training that mentioned that passwords should always be stored in the stack and never in the heap. Which would result in what Chrome is doing. In fairness, if the password needs to be passed in plain text to the website, then it needs to exist in memory, in plain text, at some point. Still, it's silly to permanently keep all of them in plain text in the heap. Maybe a good car analogy is leaving your door unlocked at all times Vs unlocking it just when entering the vehi
Re: (Score:2)
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords
Not true.
An attacker may have a limited window. He might exploit some other vulnerability to do some operation with privileged access rights, but not have an admin shell.
Re: (Score:2)
Thankfully not a windows user, but if passwords are in memory and you ran a claw bot wouldn't Claude be able to just find your passwords in memory or from a core dump? Whereas if they are hashed on disk and hopefully not kept around, no?
Re: (Score:2)
> "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats,"
Versus: "Prioritising Security above all else" (https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/)
This whole thing is an absolute joke - they didn't prioritise security at all, they didn't really even think about about at all either. They just put in a paswword manager feature because otherwise Edge looks like a toytown browser. They
Microsoft part right, part wrong (Score:4, Insightful)
Yes you'd need malware to dump contents of the RAM in order to extract the passwords, but this is a vector none the less. Microsoft made a lot of noise in the past about secure credential management, using Windows Hello for authentication and password managers meaning you are immune from any key loggers attempting to get at your data. Also there's a difference between exploiting one password and exploiting ALL passwords. Logging into Slashdot shouldn't expose someone's banking password for example.
That said this attack does still require privileged access to a machine, so they are technically correct in the level of permissions required here would be equal to those which would render virtually all traditional password managers useless (since passwords by necessity need to be in plain text at some point in order to fill into a site).
Still fuck them, fix the bug. Chrome doesn't do this.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Defence in depth my friend. Privileged access should only expose a minimum of critical information, not all of it at once due to an unrelated request. Yes we need malware to make this work, but the reality is the malware in this case has a far larger scope than it would on e.g. Chrome.
Re: (Score:2)
Re: (Score:2)
For an ordinary user application running in its own CPU process you'd be right on the money, but this happens to be a web browser, whose sole job is to render and execute untrusted JavaScript code from random sources. The slightest code vulnerability, if it exists, can and will be exploited to attempt to access Edge's memory pages.
Re: (Score:2)
While you are right, the modern browser is these days amazingly secure, even an exploit on the browser rarely exposes any memory beyond that accessible by the current tab thanks to per tab process isolation. The question is, to what extent is the password filling process integrated into the tab's process. I'm hoping not at all, but... Microsoft...
Security is a philosophy (Score:3)
Big Picture (Score:3)
Sure. One machine is compromised, in the MS engineers' heads.
The trouble is now there is a standardized, repeatable location and methodology that can be used to now get ALL the passwords ever typed into edge. Suddenly the text file sitting on my desktop named nextcomputerbuild.txt is a significantly less likely to be directly targeted by bad actors.
They need to think through - yup machine is hosed. Oh well...should have had better antivirus.... and eventually get to the point of realizing ermagerd now my bank accounts and investment accounts are emptied out and being used to fund terrorism.
A lot more Dangerous that they think (Score:3)
I'm pretty sure that whoever at Microsoft wrote that response won't have a job too much longer.
I'm sure that every Citrix and Terminal Server admin running multiple users on their server will sleep well at night knowing that there's absolutely no way Karen from HR will open an resume attachment that uses a PDF exploit to further exploit a windows privilege escalation vulnerability that opens the door to steal half of your 5000+ employees' stored browser passwords hours before they perfectly time their ransomware payload drop so can sneak in and steal all of your companies money from their bank's website (as well as some of the employee's bank accounts as well because who doesn't do banking at work amirite) while you're too busy panicking from the ransomware chaos to notice.
I guess on the bright side it wouldn't be as bad if you were running VDI and disabled browser password storage like you should.
Re:A lot more Dangerous that they think (Score:4, Interesting)
Redundant (Score:5, Funny)
"Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said.
We already assumed it was running MS software.
They are fully encrypted (Score:2)
Wouldn't this require the trusted execution thing? (Score:3)
Those CPU extensions for creating a separate area that is secure. The ones Intel removed from consumer CPU's which broke playback of 4K bluerays on desktop PC's from that point forward.
Re: (Score:2)
No. It would simply require not keeping unencrypted data unnecessarily in memory, not require unencrypting non-related data unnecessarily, and the use of other tech like TPM (which is precisely how Chrome does it). Software Guard Extensions (SGX) from Intel could have been used but isn't necessary. It's role has been largely superseded.
MS office memos (Score:3)
MS Public Memo: "Not a real problem, don't worry."
MS Internal Memo: "Fix that fucker yesterday or we'll fire you and key your car!"
isn't Edge just a chrome skin? (Score:3)
Re: isn't Edge just a chrome skin? (Score:2)
Not just single but DOUBLE ROT13 (Score:2)
noo.... ah... yes.... (Score:2)
Microsoft [...] stores passwords in plaintext in RAM
You're not saying?
But they take security so seriously. They said. They promised. This time for real. No, this time. Ok, next time.
You've got bigger problems (Score:2)
Translation (Score:2)
"Security is defined as a positive integer. By having none and then removing a layer, we overflow to perfection."
That's par for the course for MS (Score:2)
Delete from RAM? (Score:2)
Quickly? (Score:2)
help users sign in quickly and securely
At this point, these password vault apps are competing with people who poke passwords in with one finger. I suspect that decrypting a needed password on the fly only when needed will still be orders of magnitude faster than my hunt and peck method.