Microsoft Edge stores all passwords in memory in clear text, even when unused

mfro

To be fair, 'loads into memory' and 'stores' are not the same thing.

mghackerlady

Why wouldn't it? What else would you expect from the p̶e̶o̶p̶l̶e̶ masochists who subjected us to internet explorer

gruez

This feels like a case of "It rather involved being on the other side of this airtight hatchway"[1]. If you can read arbitrary process memory, you're probably also in a position to just dump out the passwords by pretending to be the user in question. > If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. If an attacker has administrative access, they can also attach a debugger to every chrome process and force it to decrypt all the passwords. The only difference this really makes is in coldboot attacks, but even then it's still not clear whether it makes the attacker's job slightly easier, or allows an attack that's otherwise not possible. [1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

kleiba2

Does this tool access an Edge instance running on the same machine? Couldn't you then just simply export all saved passwords anyway? https://support.microsoft.com/en-us/topic/export-passwords-i...

myHNAccount123

https://xcancel.com/L1v1ng0ffTh3L4N/status/20513083298807197...

WolfeReader

Please use a dedicated password manager, instead of a browser-based one. KeePass is likely the best going forward.

busterarm

For anyone that thinks this is an Edge-specific dunk, Chrome does not hash your passwords and they are cleartext in memory while Chrome is running (which for most users is always).

dkenyser

Anyone have a link to the source code for this .exe? Would love to see _how_ it's extracting them.

thumbsup-_-

Its Microsoft doing Microsoft things

jmclnx

In this day and time Microsoft should really know better. But I have seen this, and worse, happen over and over again in some fortune 500 companies with ERP and in-house systems. I would think this is a local vulnerability assuming Windows works as other OSs.

FuriouslyAdrift

A reminder that Edge is just Chromium plus some Microsoft hooks for automated SSO.

jdlyga

My brain stores all my passwords in memory in clear text too

nubinetwork

Yeah, you can probably do the same thing to pam on linux... just attach gdb to openssh or your getty login process.

timedude

That's kinda stupid. The passwords could get swapped to disk in the swap file in plaintext when memory is low by the OS.

ylk

For reference, this is how Google says Chrome stores passwords encrypted in memory and uses an elevated service to prevent other processes from impersonating Chrome and gaining access to the plain text passwords: https://security.googleblog.com/2024/07/improving-security-o...

fsflover

I don't understand, who are all these people who care about security and at the same time are using Microsoft Edge. Could someone enlighten me? Does it have some specific features that somebody needs?

matof

Edge is built by a company not focusing on user data-protection, so no surprise here. At least Brave and Firefox are usable and actual competitors, but have a business model based on user security rather than data.

OptionOfT

I think in general one should not assume anything in Edge is done correctly. Microsoft Edge is the place where things get tried out my Microsoft, that's why it changes so fast. It has a built-in updater that is not tied to Windows update, and as such they can iterate incredibly fast.

aslihana

Correct me if I am wrong but chrome is-at least was- keeping passwords as raw text in Windows too. I got friend's forgotten password from Chrome on 2021 version

zx8080

The only important question is: does Chrome store passwords in the same way as Edge?