Posted by cft 5 days ago
> If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.
If an attacker has administrative access, they can also attach a debugger to every chrome process and force it to decrypt all the passwords. The only difference this really makes is in coldboot attacks, but even then it's still not clear whether it makes the attacker's job slightly easier, or allows an attack that's otherwise not possible.
[1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
I doubt this is an Edge-specific issue. Microsoft has no interest in making their browser less secure than its upstream.
> Why aren‘t physically-local attacks in Chrome’s threat model?
> We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your device, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome — all applications must trust the physically-local user.
https://chromium.googlesource.com/chromium/src/+/148.0.7778....
That being said any single password, when used, passes through so many layers and components that it's likely impossible to even just wipe the contaminated memory locations. But that's fine, the password database is opened for most of the browser's lifetime, any given password actively being used is a rare event in comparison.
Is there any software we’d be aware of which uses this technique
It absolutely ain't Edge-specific. Firefox (AFAICT) also keeps stored passwords in clear-text unless encrypted with a passphrase (which is not the default on desktop; on Android there's a fingerprint/PIN check to access them, but I don't know offhand if there's any encryption involved with that).
Really this is true of most credentials stored within applications; unless you're providing a decryption key on open (whether explicitly or on OS-level login using some keychain mechanism), the stored credentials are probably plaintext.
Microsoft has every interest in spending as little money as possible on edge, just enough to keep people swalling the tripe. User privacy is not a thing at MS and hasnt been for decades. Plaintext passwords in a MS product is just another monday. It will take decades more to convince me they have changed.
The old edge wasn't used much no but that wasn't due to its engine. Most people don't even know what a browser engine is.
They just didn't want to bother making a browser. But they want to benefit from the marketing advantages of having a browser so now they just lift along with chrome.
I think they do care, but they care about relevance, not browser monoculture. Doesn't matter how good Trident was, no one was ever going to use it. Even Firefox is barely hanging on, and the only reason Safari is still somewhat relevant is because it's the only choice on iOS.
And my relevance I mean their bread and butter, enterprise, not consumers. Edge is what lets MS give enterprise IT departments maximum control without the grumbling of "we'd rather have Chrome" from the end users.
It's just when they moved to chromium they also stepped up the marketing around it and all the lock-in in Windows and that's really what got people to use it. Basically the same thing they did to make IE a monopoly.
They also really heavily pushed companies to start using it. Every time we had a call with a MS consultant and we shared a screen they had to bitch about us not using edge, as if they were on commission or something. Eventually they manipulated our leadership into mandating edge to all employees. It's totally locked down now too, it's terrible for the users.
But my point is, they could have done this with the trident version of edge too. I've never heard anyone complain about compatibility. Whenever people didn't want to use edge it was because of a (totally justified) distrust of Microsoft. We should never give control over the internet to them again after what they did with IE (making it a monopoly through illegal means and then leaving it to wither away full of security holes). But unfortunately at work they have got them to remove all other browsers :(
This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).
All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.
Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.
I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.
Or your backpack gets stolen.
Oops.
I swear, people who idolize passkey security must never travel anywhere.
PS: "just have more devices with passkeys", they invariably say.
Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.
Given that in order to access your password manager's vault often requires 2-factor (or should at least) it's a level of security that I am comfortable with.
I take it a step further and host the password manager vault within my home network. My home network does not expose anything publicly except a WireGuard port, it's completely locked down. I have to VPN in to access the vault.
About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.
And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.
I’ll be honest I’ve heard a lot of griping about passkeys but I have gone out of my way to switch over to them and have had precisely zero issues over the dozens of sites that I’ve bothered to make the switch on. Login flow is simpler and doesn’t rely on a browser extension guessing at login fields or trying to figure out when passwords change.
Sometimes the new thing really is just better.
Me giving an example of one major website (actually, I gave two) is all that is needed to disprove your claim. I could provide plenty more examples of major websites asking me to, but I don't need to. I could provide plenty of examples of people telling people to "redo everything" with passkeys, but your own comment is literally advocating the same thing...
Please don't mischaracterize the conversation that is plainly visible for all to see. Just accept that you tried to suggest that nobody is asking users to switch to passkeys, and you were wrong. It seems like your error is that you just haven't been seeing it personally, since you switched on your own before the nagging started, and so you weren't aware of it. Well, now you are.
> Nobody is asking you to?
Nobody is in fact asking you to change everything.
Why you are trying to claim the opposite is beyond me.
Yeah right.
When passkeys were rolled out, I was told it's OK because "passwords are always going to be required to be an available alternative".
Now we've moved the goalposts to "it's just one website".
>Sometimes the new thing really is just better.
And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
Pray tell then what.
If passkeys are significantly better, passwords will gradually stop existing. If passwords are, passkeys probably won’t catch on.
> And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.
I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it. If this is a sufficiently motivating use-case for you, you too can take these kinds of steps to mitigate the risk.
But since we’re playing the “what if” game, what happens if you get early onset dementia and forget your passwords? Pray tell then what?
So, your solution is passwords with extra steps.
Thanks but no thanks.
>I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it.
So, basically, having to create and maintain a backup device to keep separately from my laptop/phone in case they get stolen, make sure I don't lose it, but carry it with me everywhere like a crucifix.
That, and still having to remember and use a password, because otherwise the thieves get control of everything once they steal my device.
Sure. That's not objectively better than passwords which don't require this sort of hassle.
At the very least because it still requires a password.
>you too can take these kinds of steps to mitigate the risk.
OK. I can. I don't want to have to do these kind of steps, or any other dance to mitigate the real risks that passwords already protect me from.
Passkeys mitigate risks which I don't run into (”what if someone learns my password?”), while introducing others.
They are a convenience for people who run the system because they off-load those risks onto users.
>But since we’re playing the “what if” game
You're playing games with contrived hypotheticals.
I've had my laptop, phone, and wallet stolen on an overseas trip.
>what happens if you [...] forget your passwords?
I click the "forgot your password?" link which every website that uses passwords has.
Having a notebook in a vault with passwords also solves this problem.
I don't get a sudden onset of dementia which causes amnesia when I travel.
But I've lost my devices and had them stolen from me overseas.
It was a big enough hassle even though I did have the passwords.
Having only one device that has authority to log into your accounts is obviously not a good security model.
Confirms that strategy then
For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.
It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
Literally happened to me in Poland, which is why I avoid passkeys like the plague.
(The thief got caught months later. That didn't help me.)
>Maybe no big deal if you can port your number to a new phone right away.
T-Mobile won't mail a SIM card overseas, and I doubt others will either. There is no "maybe", it's a certainty that you won't be able to.
>Or maybe the trusted friend can help
Yeah, my wife literally mailed me SIM card to Poland.
It took over week.
And a "trusted friend" would first have had to get it somehow.
>Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)
At least I logged into my accounts from that city before the laptop and phone were stolen, so my logins were not "suspicious".
That's with a password.
_____
PS: screw Citibank's mandatory phone -based "2FA".
Edit: and near 0 customer support too
It takes a bit of effort, but it’s not impossible.
Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.
No need to imagine!
Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.
Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.
Bonus points for having your card locked or stolen at the same time.
Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.
Again: pray tell, then what?
I don't have any passkeys on my phone or laptop. They're all on the Yubikeys.
I don't really see a difference with (some) password managers, though. If you use one of the keepasses, and you lose access to the file, you're in the same situation right?
And yeah, you're right, there is a risk of inconvenience. I'm not debating that. I just choose to organise my life in such a way that it is just an inconvenience.
It's literally at https://github.com/Joker-vD/keepassdb/raw/refs/heads/master/... in my case, plus a couple of other free hosting sites that support easy updates/reuploads, so losing access to it requires losing access to Internet — in which case you don't really need any (alright, most) of your passwords because you need Internet to connect to the services that require those passwords.
If I remember correctly, 1Password still requires a "vault key" in addition to your username and password, and it was definitely too long and not used often enough for me to remember.
That's a wild understatement. For most users, having a password manager is already very near to the upper bound of acceptable friction.
A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.
Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
Updated to Windows Hello and passkey.
Now I can use a 4 digit pin to login.
Thank you, then this is still true today?
Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.
Having passwords on post-it notes does make certain types of attacks much easier. For instance, coworkers hacking other coworkers, or people burglarizing the office. None of which really apply to the "If an attacker gains administrative access on a terminal server" scenario.
Continuing the analogy, what Edge is doing is like leaving cash in unlocked cabinets inside a vault, and what Chrome's doing is locking those cabinets with a padlock. Sure, having the padlocks makes the cash more secure, but if someone went through all the effort into breaking the vault (terminal server), a padlock probably isn't going to stop them. This is especially true nowadays with AI coding agents and ready-made stealers available for sale online.
It also makes other attacks much harder. Namely I don't need to worry about some zero-day in my password manager.
We should care about all kinds of attackers, and not assume that the protections against the most sophisticated will obviate the protections against the least sophisticated.
Hiking with two GPS-capable devices is Swiss cheese.
https://en.wiktionary.org/wiki/Swiss_cheese#Noun
What's next? A system so secure that you can drive a truck through it? A honeypot in the center of a wasp nest?
If you can cross over to the main Edge process, you can probably get it to remove any encryption it applied itself.
It honestly feels like more and more "security" people and businesses have less interest in actually securing systems and more in marketing themselves and their business hence the tendency to make every niche attack into a five alarm fire.
What am I missing here?
[1] https://learn.microsoft.com/en-us/windows/win32/memory/memor...
If Process A and Process B are running in the same user context on a desktop OS, PAGE_NOACCESS is not a strong boundary by itself. Process B may be able to obtain PROCESS_VM_OPERATION/PROCESS_VM_READ, change the page protection with VirtualProtectEx, inject code that calls VirtualProtect inside Process A, load a DLL, attach as a debugger, duplicate useful handles, or tamper with the executable. That's the problem with same-user process isolation, it is a hugely leaky abstraction. There is no magical "just set this bit" fix.
On a desktop OS, once an evil process runs under the same user context, you are relying on process DACLs, integrity levels, code-signing, anti-injection hardening, and file-system protections. You can plug one path and still have several others.
Why exactly? I'm genuinely asking, because I feel like I get this a lot, and it is pretty frustrating.
While we're at it, I'm under the impression that the recent LLMs have also co-opted "genuinely", which I'll never forgive them for—first they stole my em-dashes, and now they're stealing my adverbs too?!
As to that comment's tone, my entire comment history is visible going back years. I'd invite people to peruse it.
Without context, sentences like this mean nothing. So it's borderline a non sequitur. A threat model can be literally anything. Me giving my PC to someone at Best Buy, letting my grandma write assembly, or throwing my PC out the window can be a "large threat model." Nonsense sentence.
> If Process A and Process B are running in the same user context on a desktop OS, PAGE_NOACCESS is not a strong boundary by itself. Process B may be able to obtain PROCESS_VM_OPERATION/PROCESS_VM_READ, change the page protection with VirtualProtectEx, inject code that calls VirtualProtect inside Process A, load a DLL, attach as a debugger, duplicate useful handles, or tamper with the executable.
To the uninitiated this seems right, but really there's so much glossing over, it feels written by a non-expert that just read the first chapter of a "hacking for dummies" book. I've written anti-cheats and have even done some some hardware stuff, so I say this with some degree of experience: writing a userspace hack/cheat is pretty hard without a zero-day. Most stuff won't easily get PROCESS_VM_OPERATION permissions, also those are (afaik) logged by the kernel, so you can easily see if some weird "DefinitelyNotACheat.exe" executable or "NotABadLibrary.dll" requested them, so it's a pretty janky way of getting access to memory you shouldn't.
> That's the problem with same-user process isolation, it is a hugely leaky abstraction. There is no magical "just set this bit" fix.
Again, this is a non sequitur. No one said (or at least I didn't) that there's a "magical" bit. You're not even arguing against a strawman, it's almost like we're having two different conversations.
> On a desktop OS, once an evil process runs under the same user context, you are relying on process DACLs, integrity levels, code-signing, anti-injection hardening, and file-system protections. You can plug one path and still have several others.
Also seems right, and it kinda' is, but code signing is notoriously easy to circumvent, "anti-injection hardening" can mean like three million different things, etc. I dunno, just sounds like someone that's never done this stuff before. Like, not bringing up Detours[1] when talking about "anti-injection" just seems like weirdly avoiding the ONE canonical way of doing this, which just about every single hacking/cracking book covers. Idk, weird omission.
Also, no one in their right mind would attach a debugger, as that's trivial to detect[2]. I guess it could be a decent proof of concept, but no serious hacker would ever go that route. (Also, if I remember correctly, you also need to ship some special DLLs that have the actual debugging helpers—and same with Detours, so might as well do that).
Just wanted to give my justification for the accusation. Maybe I'm wrong and maybe that's why I'm getting the downvotes, so my bad.
[1] https://github.com/microsoft/detours
[2] https://learn.microsoft.com/en-us/windows/win32/api/debugapi...
> The PAGE_GUARD protection modifier establishes guard pages. Guard pages act as one-shot access alarms. For more information, see Creating Guard Pages.
[1] https://learn.microsoft.com/en-us/windows/win32/api/memoryap...
Even so, none if these methods offer protection, at best you can get some detection, but that doesn't matter when they got your passwords already.
This is the load bearing argument and it is false.
There are plenty of circumstances were you can grab a piece of process memory but not all of it.
There are plenty more circumstances where you can grab process memory but not kernel memory.
There are plenty more (almost all) where you can dump kernel and process memory but you can't access the keys stored in the TPM module.
Leaving the door open for anyone with the smallest exploit is stupid and bad security.
Additionally, the passwords could be kept encrypted in another process, and decrypted on demand, essentially a password vault. This lets you use techniques like biometric or physical button approval for password use, and reduces the likelihood of a browser memory dump containing passwords.
File audit capabilities in the OS can also be tuned so that only the vault application should be reading the vault file. Make info stealers job difficult.
It would be stupid, wasteful, and overly-complex to encrypt forms just in case some malicious process somehow got ring0 access. In that case, a keylogger is likely more useful anyway. And you're fucked even if you are encrypting stuff (as keys are likely also somewhere in memory[1] and they need to be—gasp—unencrypted). There's no free lunch.
Stupid Twitter thread meant to rage-bait for engagement.
[1] They could also be on disk or on some peripheral, but still fully readable by a motivated-enough hacker.
Not to strain the analogy, but it's more like not locking your bike when it's in your locked apartment (the apartment being your computer). The thought being that if someone puts the time and effort into breaking into your apartment, a bike lock isn't going to do anything to stop them.
Operating systems have had guest accounts for decades for the "handing your PC to friends/family/etc." use case. Even Android phones have temporary guest accounts (though many manufacturers disable that because it interferes with their own secondary user-based hacks).
I think it's worthwhile considering this. There's a reason why password managers ask for a master password or passkey after 10 minutes. Since I thought Chrome relied on an encrypted enclave, it isn't quite feasible to extract passwords easily even with root access.
Yes, you shouldn't leave your computer unattended. But that doesn't mean designing products that make exploiting the inevitable slipup fatal.
It seems to depend on whether you're on a desktop or mobile device. [1]
> macOS 13 Ventura was released in 2022 and for portable Macs with Apple CPUs Apple introduced a feature known as ‘Accessory Security’ (also known as ‘Restricted Mode’)
> By default, portable Macs (i.e. laptops) with an Apple CPU running macOS 13 Ventura or newer version of macOS will require the end user to authenticate and approve a Thunderbolt device when initially connected.
> Stationary Macs (i.e. desktops) with an Apple CPU running macOS 13 Ventura or newer version of macOS do NOT implement the ‘Accessory Security’ feature. As a result, Thunderbolt devices will be automatically approved and authenticated when initially connected.
Anecdotally, I have had Dell and Lenovo laptops with Thunderbolt and in Linux I had to manually approve each new device before it would function. [2]
[1] https://kb.plugable.com/docking-stations-and-video/do-i-need...
[2] https://wiki.archlinux.org/title/Thunderbolt#User_device_aut...
https://support.microsoft.com/en-us/topic/export-passwords-i...
With said cookie you can absolutely impersonate a user for while (potentially needing to evade user agent string checks and the like but often not)... but it will expire and then your access should be ended. If the site is well designed actions like password changing should also re-require the user's password instead of allowing anyone with just the cookie from proceeding with the action.
If it is done right cookies are pretty decently secure at keeping your secrets safe but, for convenience they do lower the security that could be accomplished with more involved techniques.
As an aside Oauth's key -> token approach is basically identical to password -> cookie (assuming best practices are in place).
Google now wants to bind credentials to a device by storing the secret in the TPM: https://blog.google/security/protecting-cookies-with-device-...
Anything that is on a client device can be manipulated without your awareness.
I keep looking for frameworks that do it the right way, holding critical data encrypted all time, but it isn't a thing most people worry about.
E.g. if my app needs a db connection I can ask a vault service but I need creds for that. The vault service can rotate the creds very fast but is it addition security.
The password should only exist in the process memory for the few lines of code to open that database connection, and then wiped after you got the handle.
Ideally, homomorphic encryption should be used instead.
Malicious code can read some/all memory in your container, but not necessarily execute. Plenty of such vulns exist.
> Where do you store the decryption key?
Not in memory. Either nowhere after use, on the filesystem, or otherwise accessible on-demand by performing IO.
This was in the middle of the 2003 security stand-down and he started by asking "How are your QA skills? Cause in a couple months Bill (Gates) is going to forget all about security and we'll get back to writing code the way we always have. And we won't need a Security Architect so we'll have to find a job for you and I was thinking QA."
Corners of Microsoft doing stupid things with respect to security isn't an accident. It's a natural consequence of their culture.
That being said... There are (or at least were) some amazingly good security brains in Redmond. It's just that not all groups got the security memo.
I mean, sure, if you literally ignore the words "in memory", but by that logic you could argue that "Microsoft Edge stores" is misleading because it sounds like it's talking about retail establishments that sell the web browser, which is equally nonsense. I don't find it plausible that you think most people would see "stores in memory" would mean "stores on disk" unless you think that they don't understand the difference between memory and disk, at which point I don't think that they would be here to misread the headline.
To fair though, there are very few situations where the network is completely trustworthy, like your home network with no one else on it or a VPN direct to an HTTP server.
A really really untrustworthy network could MITM your SSL connections and impose itself in front of all of them (Cisco IronPort?) but I think even then your browser will complain unless you've installed a proxy that allows it or a custom root certificate.
It’s not enough for the network to be untrustworthy for MITM attacks, they have to use a certificate signed a by root certificate that your computer already trusts.
Organizations with those IronPort gateways use device management and Active Directory policies to pre-install a root certificate into your OS. The IronPort decrypts the original server then re-encrypts it with its own certificate to your computer.
If you used a non-organization managed device on those networks, it would show big scary warnings before letting you visit any HTTPS site that the certificate issuer is not trusted by your computer.