Sorry for off topic, is the situation the same with Safari on MacOS? I have to touch-id every time I fill the password, so it seems like it’s not available in-memory.

mixed feelings on this, edge is supposed to store creds via DPAPI to the most part. you should also really not use password saving feature on edge (or any browser), it exposes you to a lot more threats that you need.

But.. saved passwords are not the same thing as "secrets" the browser uses. It has to be able to provide plain text passwords to websites. This is a really bad feature browsers should just not have to begin with, but they do, and I don't see a better way to use this.

In the past, they used to store the passwords in sqlite dbs, but now they've moved away from that at least.

From an attack perspective, there maybe some instances where you can dump memory, but you can't attach a debugger to the process without getting caught. so it does make a little bit of a difference there, but microsoft will probably tell you this isn't a security boundary that's being crossed. They can store it via DPAPI in lsass, and if lsass isolation is enabled (only on physical computers, default on win11) even SYSTEM privilege won't get you the credentials.

But what's the idea here, you have access to the browser, but you can't visit the site the password is saved for to make it "in use" and in plain text, so you can dump the password? I mean, even if you don't have access to the desktop, you can just start msedge.exe with the URL for the site as an argument and trigger the password retrieval.

Edge has done a lot to improve credential security, even DPAPI's existence itself is huge. If your research has meat, that's great but I don't see it here.

This feels like some "researcher" hyping themselves up to me, but I could be wrong.

Also, I really despise how they posted this on twitter, not even considering the political landmine there, I can't see the comments or threads on there without logging in. I can't visit the site on mobile without being redirected to download the app. I just wanted to mention that if you use X as a security professional in this day and age, my opinion of you drops by like 50% immediately. I don't care if you use bluesky, vk, telegram, discord,facebook, threads or whatever else, twitter is the worst place for you to share your work and you should know better.

The real mistake is that we are still using simple password authentication instead of challenge-response or public key authentication.

In this day and time Microsoft should really know better. But I have seen this, and worse, happen over and over again in some fortune 500 companies with ERP and in-house systems.

I would think this is a local vulnerability assuming Windows works as other OSs.

And firefox stores them unencrypted by default

We have an automated task that runs the OWASP plugin (Maven on Java stack) that automatically creates a JIRA issue if there is any issue found. So I pickup the JIRA ticket and look at the CVE. First things first I __READ__ the actual CVE. Score: 7, ok that is bad Hacker can do ANYTHING by using the tmp file on THE ACTUAL MACHINE ... drag to cancel

A reminder that Edge is just Chromium plus some Microsoft hooks for automated SSO.

sa

[flagged]