Microsoft Edge stores all passwords in memory in clear text, even when unused

Posted by cft 5 days ago

Microsoft Edge stores all passwords in memory in clear text, even when unused(twitter.com)

640 points | 232 commentspage 2

danborn26 4 days ago|

This seems like a significant oversight for a modern browser. Credential material should be aggressively zeroed out after use to minimize the attack surface.

efilife 3 days ago|

llm comment

AJRF 4 days ago||

I feel like there is a problem with security research where the incentive is to find scary headlines, and things that have very little impact get trotted out as world shattering revelations. This seems like one of those times - feels like an "assume a perfectly spherical cow" moment - if you are at the point where you have access to attempt to read this, the kingdom is already lost?

timedude 5 days ago||

That's kinda stupid. The passwords could get swapped to disk in the swap file in plaintext when memory is low by the OS.

alterom 5 days ago|

You say this as if accessing that file was any easier than accessing memory.

mintplant 5 days ago|||

If I have a disk image or access to the physical drive, it's trivial. This means they can no longer be considered encrypted at rest.

munk-a 5 days ago|||

If you're on prem or able to manipulate the machine into an OS of your choosing, yes. But with purely remote access to a device the disk is pretty decently secured (even if Window's ACLs are nightmareishly convoluted).

dist-epoch 5 days ago|||

If your computer storage is not fully encrypted you have bigger worries than the swap file.

dlcarrier 5 days ago|||

It is when the computer is off.

alterom 4 days ago||

And if you whack someone with a wrench until they tell you the password, it's even easier!

Seriously, if someone is getting physical access to the machine to the extent where they can remove the hard drive... I doubt that it makes a difference whether the browser's password manager keeps its passwords encrypted in-memory.

dlcarrier 4 days ago||

There's a huge difference in physical and criminal liability for stealing a laptop vs kidnapping someone. If tools become widespread for criminals to recover user accounts from an unpowered laptop, there's going to be an uptick in identity theft. When many cities would't even prosecute for the theft of a laptop, almost no one that's willing to steal a laptop is willing to hold someone up, which not only puts the criminal at physical risk of the victim attacking but also could result in decades of incarceration, if caught.

busterarm 5 days ago||

For anyone that thinks this is an Edge-specific dunk, Chrome does not hash your passwords and they are cleartext in memory while Chrome is running (which for most users is always).

bobbiechen 5 days ago||

This is generally true of every application that handles sensitive data. Unless you explicitly clear that memory, it's likely to hang around forever.

For example, here is a 2019 writeup from KeePassXC with similar notes: https://keepassxc.org/blog/2019-02-21-memory-security/ - even though they explicitly clear sensitive data, there is still a window of opportunity.

During my time working on confidential computing, we had a variety of demos showing similar attacks against lots of different datastores, scripts, etc. That's just how computers work and your options are very limited if this is part of your threat model (imo just confidential computing and, if you can handle the performance hit, fully-homomorphic encryption).

dist-epoch 5 days ago||

Windows already has a secure kernel credential store, they could move the Edge password store there with a bit of effort, minimize the splash damage when you retrieve a single password to send over HTTP from the regular user space.

> Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

> Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them.

https://learn.microsoft.com/en-us/windows/security/identity-...

jborean93 5 days ago||

This only works if credential guard has implemented a way to build a subsequent token/value from that secret. For things like basic auth the secret would need to eventually hit the userland process that needs it in some shape or form to then embed it in the HTTP payload which is plaintext.

Someone1234 5 days ago|||

Password hashes are one-directional lossy storage. If a password manager "hashed your password" it would be essentially deleting your password and replacing it with something else which cannot be used to log into anything. The password MUST be recoverable to plain-text to replay it to a website.

But you're correct that Chrome, Firefox, Edge, Lastpass, BitWarden, even Keepass have the same issue. It is an Operating System limitation, not a password manager problem.

Sohcahtoa82 5 days ago|||

I think the catch is whether the passwords are unencrypted in memory constantly, or only during a short period when the password is being used?

busterarm 5 days ago|||

I never said that they should be hashed, just that they aren't. Just subtly pointing out what the tradeoffs are if you choose to use a password manager whose storage/access is basically always available.

At least with Keepass it's locked in an encrypted store and only available exactly when I need it to be. I can take other precautions if I want when I want to access it.

With your browser's password manager you're stuck with the slop you were given.

traderj0e 5 days ago||

So are you typing your password every single time you want to unlock that store? If not, where's the master password stored? I know Keychain does something advanced with the enclave.

busterarm 5 days ago||

My master password is ~20 characters of strong randomness and completely in my head and has worked that way a good 10 years or so now.

asmosoinio 4 days ago||

Not since 2024 according to this article? As they use DPAPI. Or am I reading this wrong?

https://security.googleblog.com/2024/07/improving-security-o...

> In Chrome 127 we are introducing a new protection on Windows that improves on the DPAPI by providing Application-Bound (App-Bound) Encryption primitives. Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity, similar to how the Keychain operates on macOS.

iberator 5 days ago||

That's why each page of the RAM memory should be AES encrypted with a key in hardware...

This is the future and I think IBM got such technology like 50 years ago envisioned.

aslihana 5 days ago||

Correct me if I am wrong but chrome is-at least was- keeping passwords as raw text in Windows too. I got friend's forgotten password from Chrome on 2021 version

cj00 5 days ago||

Yeah it's been years but I remember seeing arguments with Google devs saying if someone had access to your local file system, you're already SOL.

thewebguyd 5 days ago||

I've always hated that argument. Yes, if someone as access to your local file system, you are already SOL, but if that machine is part of an org, they aren't necessarily SOL except for now those plain text passwords can potentially be used for easier lateral movement to hit other, more privileged accounts (if you had access/had them saved in that password manager). At minimum, those credentials can now be used to phish the rest of your organization.

Stopping the spread is just as important as protecting any individual machine.

Hikikomori 5 days ago||

Chrome added app bound encryption of cookie files in 2024.

testemailfordg2 4 days ago||

That's interesting, then that UAC prompt asking to enter login credentials to view existing saved password is useless.

eddy-sekorti 3 days ago||

That is why i never use edge, chrome is much better in every aspect, cannot understand how Microsoft can be so stupid to do this

zx8080 5 days ago||

The only important question is: does Chrome store passwords in the same way as Edge?

asmosoinio 4 days ago|

According to this article: No, they use DPAPI

https://security.googleblog.com/2024/07/improving-security-o...

matof 5 days ago|

Edge is built by a company not focusing on user data-protection, so no surprise here. At least Brave and Firefox are usable and actual competitors, but have a business model based on user security rather than data.

More comments...