Microsoft Edge Stores Passwords In Plaintext In RAM (pcmag.com) 19
Longtime Slashdot reader UnknowingFool writes: Security researcher Tom Joran Sonstebyseter Ronning has found that Microsoft Edge stores passwords in plaintext in RAM. After creating a password and storing it using Edge's password manager, Ronning found that he could dump the RAM and recover his password which was stored in plaintext. Part of the issue is Edge loads all passwords to all sites upon a single verification check, even if the user was not visiting a specific site. This is very different from Chrome, which only loads passwords for specific websites when challenged for the site's password. Also, Chrome will delete the password from memory once the password has been filled. Edge does not delete the passwords from memory once they are used.
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
good thing that ActiveX plugin are not an thing an (Score:2)
good thing that ActiveX plugin are not an thing any more
Place your bets....state actor or AI slop? (Score:2)
Re:Place your bets....state actor or AI slop? (Score:5, Insightful)
I'm guessing not a state actor. They already have enough other backdoors that Microsoft already put in for them, and plaintext is just too obvious even for them.
My bet is that this is just one more example in the already giant collection demonstrating Microsoft's utter incompetence around good engineering, robust security, and properly testing products before releasing them.
My "design choices" involve... (Score:3, Funny)
... designing my workflow to avoid using this browser.
I'd love to trash Edge, but... (Score:4, Interesting)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
For that matter, an attacker with that much control over your system can even get your passkeys, unless those are stored in some OS-managed secure enclave and they require user authentication in the loop (e.g. a biometric which is matched in the secure enclave, and ideally with a secure path from scanner to enclave).
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
Re: (Score:2)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Re: (Score:3)
For the "secure" model,
What immediately comes to mind is a multi-process design (which I know that Chrome does use, but not to what extent).
The ability to read/decrypt passwords would be kept in a separate process from whatever handled rendering the website and runnings its javascript (since that's the most exposed to security challenges).
The head process woul
Re: I'd love to trash Edge, but... (Score:2)
Not deleting the password from memory is where Edge ultimately exposes itself excessively compared to competition. This is what happens when you have programmers that only think in terms of a Turing machine abstraction, versus doing practical threat modeling.
Re: (Score:2)
If an attacker has enough control of your machine to dump the password database, they have enough control
Er, I meant if they have enough control to dump RAM. Thinko because what I was thinking is that if they can dump RAM they can dump your password database, too (unless user authentication is in the loop and that authentication relies on secrets not in the device).
Re:I'd love to trash Edge, but... (Score:4, Insightful)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Microsoft is sort of right, but in other ways very wrong. The scope of this is huge. There's a big difference between malware getting my Slashdot password when I log into Slashdot, and malware getting my banking password when I log into Slashdot.
Re: (Score:2)
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Maybe I'm misunderstanding what you mean by 'auth' here, but on my PCs (Windows 10):
It does require auth for passkeys, I think every time, but not for regular saved passwords in the browser. I have Windows Hello set up for a couple passkeys and I have to auth via Hello when I use them.
But I have regular saved passwords for almost every other website I use routinely and am not prompted to auth via Hello for that. My understanding is that for these, the auth/unlock is done once at user login and then the ses
Re: (Score:2)
RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.
Re: (Score:2)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here
i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...
you couldn't make this shit up, brought to you by "closed proprietary sofware".
then again, decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice. it's flabbergasting. you access sensible information only when needed and dispose of it after use, and even zeroing the memory should be par for the course. this is basic hygiene
Re: (Score:2)
Been trying to figure out how Chrome does this because my recollection was that Chrome had the exact same problem - I remember making a similar point to you in forum threads a couple years back with people complaining about it then.
It looks like in 2024, Chrome added support [googleblog.com] for something called the Data Protection API (DPAPI [microsoft.com]), which provides some mitigation against arbitrary memory reads:
App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.
Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software â" and more likely to be detected
It's not clear from my quick read if this defends against this class of "attack" in all cases but it reads like it migh
Microsoft part right, part wrong (Score:2)
Yes you'd need malware to dump contents of the RAM in order to extract the passwords, but this is a vector none the less. Microsoft made a lot of noise in the past about secure credential management, using Windows Hello for authentication and password managers meaning you are immune from any key loggers attempting to get at your data. Also there's a difference between exploiting one password and exploiting ALL passwords. Logging into Slashdot shouldn't expose someone's banking password for example.
That said
Security is a philosophy (Score:2)
Big Picture (Score:2)
Sure. One machine is compromised, in the MS engineers' heads.
The trouble is now there is a standardized, repeatable location and methodology that can be used to now get ALL the passwords ever typed into edge. Suddenly the text file sitting on my desktop named nextcomputerbuild.txt is a significantly less likely to be directly targeted by bad actors.
They need to think through - yup machine is hosed. Oh well...should have had better antivirus.... and eventually get to the point of realizing ermagerd now my
A lot more Dangerous that they think (Score:2)
I'm pretty sure that whoever at Microsoft wrote that response won't have a job too much longer.
I'm sure that every Citrix and Terminal Server admin running multiple users on their server will sleep well at night knowing that there's absolutely no way Karen from HR will open an resume attachment that uses a PDF exploit to further exploit a windows privilege escalation vulnerability that opens the door to steal half of your 5000+ employees' stored browser passwords hours before they perfectly time their ranso
Re: (Score:2)
Redundant (Score:2)
"Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said.
We already assumed it was running MS software.