FRESH

Hacker News

Home

Microsoft Edge stores all passwords in memory in clear text, even when unused

512 points by cft

by gruez

15 subcomments

This feels like a case of "It rather involved being on the other side of this airtight hatchway"[1]. If you can read arbitrary process memory, you're probably also in a position to just dump out the passwords by pretending to be the user in question.
> If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.
If an attacker has administrative access, they can also attach a debugger to every chrome process and force it to decrypt all the passwords. The only difference this really makes is in coldboot attacks, but even then it's still not clear whether it makes the attacker's job slightly easier, or allows an attack that's otherwise not possible.
[1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

by AJRF

0 subcomment

I feel like there is a problem with security research where the incentive is to find scary headlines, and things that have very little impact get trotted out as world shattering revelations. This seems like one of those times - feels like an "assume a perfectly spherical cow" moment - if you are at the point where you have access to attempt to read this, the kingdom is already lost?

by ylk

1 subcomments

For reference, this is how Google says Chrome stores passwords encrypted in memory and uses an elevated service to prevent other processes from impersonating Chrome and gaining access to the plain text passwords: https://security.googleblog.com/2024/07/improving-security-o...

by pjmlp

1 subcomments

As do almost every microservice out there, by storing credentials in environment variables, an exploit that manages to read container's memory is enough.
I keep looking for frameworks that do it the right way, holding critical data encrypted all time, but it isn't a thing most people worry about.

by golem14

1 subcomments

Since it's not been clearly stated: One attack vector might be that I step out to the bathroom for 5 minutes without locking computer, and evil hacker just dumps all my passwords before I come back.
I think it's worthwhile considering this. There's a reason why password managers ask for a master password or passkey after 10 minutes. Since I thought Chrome relied on an encrypted enclave, it isn't quite feasible to extract passwords easily even with root access.
Yes, you shouldn't leave your computer unattended. But that doesn't mean designing products that make exploiting the inevitable slipup fatal.

by danborn26

0 subcomment

This seems like a significant oversight for a modern browser. Credential material should be aggressively zeroed out after use to minimize the attack surface.

by kleiba2

1 subcomments

Does this tool access an Edge instance running on the same machine? Couldn't you then just simply export all saved passwords anyway?
https://support.microsoft.com/en-us/topic/export-passwords-i...

by nubinetwork

0 subcomment

Yeah, you can probably do the same thing to pam on linux... just attach gdb to openssh or your getty login process.

by myHNAccount123

0 subcomment

https://xcancel.com/L1v1ng0ffTh3L4N/status/20513083298807197...

by dkenyser

1 subcomments

Anyone have a link to the source code for this .exe? Would love to see _how_ it's extracting them.

by mfro

1 subcomments

To be fair, 'loads into memory' and 'stores' are not the same thing.

by aslihana

2 subcomments

Correct me if I am wrong but chrome is-at least was- keeping passwords as raw text in Windows too. I got friend's forgotten password from Chrome on 2021 version

by peterdemin

0 subcomment

Sorry for off topic, is the situation the same with Safari on MacOS? I have to touch-id every time I fill the password, so it seems like it’s not available in-memory.

by timedude

1 subcomments

That's kinda stupid. The passwords could get swapped to disk in the swap file in plaintext when memory is low by the OS.

by zx8080

0 subcomment

The only important question is: does Chrome store passwords in the same way as Edge?

by ivolimmen

0 subcomment

We have an automated task that runs the OWASP plugin (Maven on Java stack) that automatically creates a JIRA issue if there is any issue found. So I pickup the JIRA ticket and look at the CVE. First things first I __READ__ the actual CVE. Score: 7, ok that is bad Hacker can do ANYTHING by using the tmp file on THE ACTUAL MACHINE ... drag to cancel

by notepad0x90

0 subcomment

mixed feelings on this, edge is supposed to store creds via DPAPI to the most part. you should also really not use password saving feature on edge (or any browser), it exposes you to a lot more threats that you need.
But.. saved passwords are not the same thing as "secrets" the browser uses. It has to be able to provide plain text passwords to websites. This is a really bad feature browsers should just not have to begin with, but they do, and I don't see a better way to use this.
In the past, they used to store the passwords in sqlite dbs, but now they've moved away from that at least.
From an attack perspective, there maybe some instances where you can dump memory, but you can't attach a debugger to the process without getting caught. so it does make a little bit of a difference there, but microsoft will probably tell you this isn't a security boundary that's being crossed. They can store it via DPAPI in lsass, and if lsass isolation is enabled (only on physical computers, default on win11) even SYSTEM privilege won't get you the credentials.
But what's the idea here, you have access to the browser, but you can't visit the site the password is saved for to make it "in use" and in plain text, so you can dump the password? I mean, even if you don't have access to the desktop, you can just start msedge.exe with the URL for the site as an argument and trigger the password retrieval.
Edge has done a lot to improve credential security, even DPAPI's existence itself is huge. If your research has meat, that's great but I don't see it here.
This feels like some "researcher" hyping themselves up to me, but I could be wrong.
Also, I really despise how they posted this on twitter, not even considering the political landmine there, I can't see the comments or threads on there without logging in. I can't visit the site on mobile without being redirected to download the app. I just wanted to mention that if you use X as a security professional in this day and age, my opinion of you drops by like 50% immediately. I don't care if you use bluesky, vk, telegram, discord,facebook, threads or whatever else, twitter is the worst place for you to share your work and you should know better.

by pezezin

0 subcomment

The real mistake is that we are still using simple password authentication instead of challenge-response or public key authentication.

by AzzyHN

0 subcomment

And firefox stores them unencrypted by default

by matof

0 subcomment

Edge is built by a company not focusing on user data-protection, so no surprise here. At least Brave and Firefox are usable and actual competitors, but have a business model based on user security rather than data.

by iberator

0 subcomment

That's why each page of the RAM memory should be AES encrypted with a key in hardware...
This is the future and I think IBM got such technology like 50 years ago envisioned.

by LunicLynx

0 subcomment

You are absolutely right, having copilot does not help at all here.

by FuriouslyAdrift

0 subcomment

A reminder that Edge is just Chromium plus some Microsoft hooks for automated SSO.

by busterarm

2 subcomments

For anyone that thinks this is an Edge-specific dunk, Chrome does not hash your passwords and they are cleartext in memory while Chrome is running (which for most users is always).

by jmclnx

0 subcomment

In this day and time Microsoft should really know better. But I have seen this, and worse, happen over and over again in some fortune 500 companies with ERP and in-house systems.
I would think this is a local vulnerability assuming Windows works as other OSs.

0 subcomment

by kronks

0 subcomment

[dead]

by animanoir

0 subcomment

[dead]

by WolfeReader

3 subcomments

Please use a dedicated password manager, instead of a browser-based one. KeePass is likely the best going forward.

by fsflover

1 subcomments

I don't understand, who are all these people who care about security and at the same time are using Microsoft Edge. Could someone enlighten me? Does it have some specific features that somebody needs?

by thumbsup-_-

1 subcomments

Its Microsoft doing Microsoft things

by jdlyga

0 subcomment

My brain stores all my passwords in memory in clear text too

by OptionOfT

0 subcomment

I think in general one should not assume anything in Edge is done correctly. Microsoft Edge is the place where things get tried out my Microsoft, that's why it changes so fast. It has a built-in updater that is not tied to Windows update, and as such they can iterate incredibly fast.

by mghackerlady

0 subcomment

Why wouldn't it? What else would you expect from the p̶e̶o̶p̶l̶e̶ masochists who subjected us to internet explorer