Microsoft Edge Stores Passwords In Plaintext In RAM (pcmag.com) 50
Longtime Slashdot reader UnknowingFool writes: Security researcher Tom Joran Sonstebyseter Ronning has found that Microsoft Edge stores passwords in plaintext in RAM. After creating a password and storing it using Edge's password manager, Ronning found that he could dump the RAM and recover his password which was stored in plaintext. Part of the issue is Edge loads all passwords to all sites upon a single verification check, even if the user was not visiting a specific site. This is very different from Chrome, which only loads passwords for specific websites when challenged for the site's password. Also, Chrome will delete the password from memory once the password has been filled. Edge does not delete the passwords from memory once they are used.
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
Microsoft downplayed the risk noting access would require control over a user's PC like a malware infection: "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said. Ronning countered that it was possible to dump passwords for multiple users using administrative privileges for one user to view the passwords for other logged-on users. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," Microsoft said. "Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
good thing that ActiveX plugin are not an thing an (Score:3)
good thing that ActiveX plugin are not an thing any more
Place your bets....state actor or AI slop? (Score:4, Interesting)
Re:Place your bets....state actor or AI slop? (Score:5, Insightful)
I'm guessing not a state actor. They already have enough other backdoors that Microsoft already put in for them, and plaintext is just too obvious even for them.
My bet is that this is just one more example in the already giant collection demonstrating Microsoft's utter incompetence around good engineering, robust security, and properly testing products before releasing them.
Re: (Score:2)
was going to ask this same question... edge is chromium based.. would have assumed it was baked into the security architecture...
Only thing that makes some sense to me is they disabled the memory protection because widows is supposed to randomize memory addresses... (ASLR).... so a layer of security through obscurity for marginal performance gain. :/ grasping at straws here...
But after all is said and done... there are multiple ways to dump a readable password list from chrome and edge, and most browsers...
Re: Place your bets....state actor or AI slop? (Score:2)
I doubt it's AI slop.
Edge has been storing passwords long enough that I assume the password manager code predates AI coding.
Re: (Score:2)
>> Place your bets....state actor or AI slop?
MS. is AI slop.
MS is a state actor.
My "design choices" involve... (Score:5, Funny)
... designing my workflow to avoid using this browser.
I'd love to trash Edge, but... (Score:5, Interesting)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
For that matter, an attacker with that much control over your system can even get your passkeys, unless those are stored in some OS-managed secure enclave and they require user authentication in the loop (e.g. a biometric which is matched in the secure enclave, and ideally with a secure path from scanner to enclave).
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
Re:I'd love to trash Edge, but... (Score:4, Insightful)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Re: (Score:2)
It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.
Nah. You just try all the bytes. It's not that many.
Re: (Score:3)
For the "secure" model,
What immediately comes to mind is a multi-process design (which I know that Chrome does use, but not to what extent).
The ability to read/decrypt passwords would be kept in a separate process from whatever handled rendering the website and runnings its javascript (since that's the most exposed to security challenges).
The head process woul
Re: (Score:2)
If you have a process that provides a service that hands out passwords, it's irrelevant whether the passwords are plaintext or ciphertext. An attacker who compromises a rendering process can only query -- but can probably query a lot. An attacker to breaches the process separation, well...
Note that this is separate from whether the on-disk database needs to be encrypted. There are additional threat vectors there.
Re: (Score:2)
>> An attacker who compromises a rendering process can only query
Nah. Very different threat than getting a RAM dump.
Ram dump get, for example, sent to Microslop for analysis of crashes (and storing of your passwords if you are one of the 6 users that use edge.)
Re: I'd love to trash Edge, but... (Score:4, Insightful)
Not deleting the password from memory is where Edge ultimately exposes itself excessively compared to competition. This is what happens when you have programmers that only think in terms of a Turing machine abstraction, versus doing practical threat modeling.
Re: (Score:2)
If an attacker has enough control of your machine to dump the password database, they have enough control
Er, I meant if they have enough control to dump RAM. Thinko because what I was thinking is that if they can dump RAM they can dump your password database, too (unless user authentication is in the loop and that authentication relies on secrets not in the device).
Re:I'd love to trash Edge, but... (Score:5, Insightful)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Microsoft is sort of right, but in other ways very wrong. The scope of this is huge. There's a big difference between malware getting my Slashdot password when I log into Slashdot, and malware getting my banking password when I log into Slashdot.
Re: (Score:3)
Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.
Maybe I'm misunderstanding what you mean by 'auth' here, but on my PCs (Windows 10):
It does require auth for passkeys, I think every time, but not for regular saved passwords in the browser. I have Windows Hello set up for a couple passkeys and I have to auth via Hello when I use them.
But I have regular saved passwords for almost every other website I use routinely and am not prompted to auth via Hello for that. My understanding is that for these, the auth/unlock is done once at user login and then the ses
Re: (Score:2)
Chrome has a setting to require Windows Hello when filling in passwords. You can turn this option on or off.
Re: (Score:2)
Ah interesting, never seen that before! I've just turned it on to see how annoying it is.
Re: (Score:2)
Re: (Score:2)
RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.
Re: (Score:2)
It shows that for Microsoft, security is an afterthought rather than a priority, with the obvious result that Microsoft software is not secure. RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.
If Chrome has access to them without user authentication, then so does any attacker who can dump Chrome's RAM.
Re:I'd love to trash Edge, but... (Score:5, Insightful)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here
i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...
you couldn't make this shit up, brought to you by "closed proprietary sofware".
then again, decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice. it's flabbergasting. you access sensible information only when needed and dispose of it after use, and even zeroing the memory should be par for the course. this is basic hygiene in any context.
both the pretext of "efficiency" and completely disregarding "defense in depth" are just laughable, even moreso if the information is as sensible as passwords no less, and agument "incompetency" to "pathetic clown level incompetency".
Re: (Score:2)
I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here
i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...
There's really no irony here. TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice
It's really no different from keeping the password database encryption key in RAM, or the capability which grants access to the database encryption key (however many layers of that you want to go down) which is what you have to do if you want to be able to use the passwords on-demand without an authentication step.
Re: (Score:3)
>> TPMs serve a different purpose, that of ensuring that the software you're running isn't maliciously modified.
Nope. TPM serve to lock down Hardware so you can't install Linux easily.
Re: (Score:3)
Been trying to figure out how Chrome does this because my recollection was that Chrome had the exact same problem - I remember making a similar point to you in forum threads a couple years back with people complaining about it then.
It looks like in 2024, Chrome added support [googleblog.com] for something called the Data Protection API (DPAPI [microsoft.com]), which provides some mitigation against arbitrary memory reads:
App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.
Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software â" and more likely to be detected
It's not clear from my quick read if this defends against this class of "attack" in all cases but it reads like it migh
Re: (Score:3)
unless the browser required authentication for every password retrieval.
It would be much safer if the browser requires authentication for each site. Generally most users are not opening new sites every second. A possible threat is the one in the summary.
If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.
The whole point is an attacker dumping the encrypted password database does little as it is encrypted. Chrome and other password manages only decrypts one password at a time. Even if an attacker exposes that password, all the other passwords are safe.
Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.
To me, the Edge way is just laziness. It is also less efficient by storing eve
Re: (Score:2)
hey can dump your password database,
The password database is encrypted. At least it should be.
Re: (Score:2)
hey can dump your password database,
The password database is encrypted. At least it should be.
If the browser can decrypt it without you entering a password or doing a biometric authentication to a secure enclave, then so can an attacker who controls the browser. Encrypting the database achieves something useful against an attacker who can read the browser's files, but not against an attacker who can dump the browser's RAM.
Re: (Score:1)
> If an attacker has enough control of your machine...
Not a plot-twist. Microsoft is the attacker or aiding and abetting someone that is. You are evaluating the world as if rules of conduct still exist anywhere among the ruling class.
Re: (Score:2)
> If an attacker has enough control of your machine...
Not a plot-twist. Microsoft is the attacker or aiding and abetting someone that is. You are evaluating the world as if rules of conduct still exist anywhere among the ruling class.
Put the tinfoil hat down and step away...
Microsoft part right, part wrong (Score:4, Insightful)
Yes you'd need malware to dump contents of the RAM in order to extract the passwords, but this is a vector none the less. Microsoft made a lot of noise in the past about secure credential management, using Windows Hello for authentication and password managers meaning you are immune from any key loggers attempting to get at your data. Also there's a difference between exploiting one password and exploiting ALL passwords. Logging into Slashdot shouldn't expose someone's banking password for example.
That said this attack does still require privileged access to a machine, so they are technically correct in the level of permissions required here would be equal to those which would render virtually all traditional password managers useless (since passwords by necessity need to be in plain text at some point in order to fill into a site).
Still fuck them, fix the bug. Chrome doesn't do this.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Security is a philosophy (Score:3)
Big Picture (Score:3)
Sure. One machine is compromised, in the MS engineers' heads.
The trouble is now there is a standardized, repeatable location and methodology that can be used to now get ALL the passwords ever typed into edge. Suddenly the text file sitting on my desktop named nextcomputerbuild.txt is a significantly less likely to be directly targeted by bad actors.
They need to think through - yup machine is hosed. Oh well...should have had better antivirus.... and eventually get to the point of realizing ermagerd now my bank accounts and investment accounts are emptied out and being used to fund terrorism.
A lot more Dangerous that they think (Score:3)
I'm pretty sure that whoever at Microsoft wrote that response won't have a job too much longer.
I'm sure that every Citrix and Terminal Server admin running multiple users on their server will sleep well at night knowing that there's absolutely no way Karen from HR will open an resume attachment that uses a PDF exploit to further exploit a windows privilege escalation vulnerability that opens the door to steal half of your 5000+ employees' stored browser passwords hours before they perfectly time their ransomware payload drop so can sneak in and steal all of your companies money from their bank's website (as well as some of the employee's bank accounts as well because who doesn't do banking at work amirite) while you're too busy panicking from the ransomware chaos to notice.
I guess on the bright side it wouldn't be as bad if you were running VDI and disabled browser password storage like you should.
Re: (Score:3)
Redundant (Score:5, Funny)
"Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said.
We already assumed it was running MS software.
They are fully encrypted (Score:2)
Wouldn't this require the trusted execution thing? (Score:3)
Those CPU extensions for creating a separate area that is secure. The ones Intel removed from consumer CPU's which broke playback of 4K bluerays on desktop PC's from that point forward.
MS office memos (Score:3)
MS Public Memo: "Not a real problem, don't worry."
MS Internal Memo: "Fix that fucker yesterday or we'll fire you and key your car!"
isn't Edge just a chrome skin? (Score:2)
Re: isn't Edge just a chrome skin? (Score:2)
Not just single but DOUBLE ROT13 (Score:2)