A security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup, making it easy for malware to scrape those passwords.
Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats.
“We value user safety and usability, but if you’re already compromised you can go fuck yourself”
True, but there’s a big fucking difference between handing over the keys without being asked, and doing basic fucking due diligence and not loading all your passwords in plain text into memory by default.
(@iglou@programming.dev ) I can’t defend MicroSlop because that mentality is pants on head stupid and is directly in opposition to any statement that they care about security. Because, again, they made their browser behave this way for no real reason besides blowing smoke up our ass. Chromium handles passwords properly, MicroSlop chose to do it insecurely and is hiding behind the dumbest defense. Because their OS has more holes than Swiss cheese and they refuse to plug a basic security hole that they put there intentionally.
Chrome’s handling is barely more secure. A compromised device will have a much easier time reading Chrome’s encrypted store than scanning your RAM to find passwords.
Remember that if you don’t need to input a password to open the store, then anything with access to your device can also read it.
Wether it’s encrypted in your RAM or not barely makes any difference in how difficult the task is.
The only solution is: Browsers should require a password. Or even better: Use a dedicated, properly secured password manager.
Chrome’s handling is barely more secure. A compromised device will have a much easier time reading Chrome’s encrypted store than scanning your RAM to find passwords.
Regardless, they’re still loading them into memory in plain text, and knowing this exists, is going to be an easier task to grab than dealing with the encrypted store chromium uses. At least chromium uses the in built credential api to try to protect the secrets, the fact edge doesn’t is an egregious security hole.
I don’t disagree that users need to have to enter a password to view their stored passwords, but you’re hand waving a massive and intentional decrease in security on Edge’s part. No matter how easy it is to get out of another browser, this is a violation of basic secure development practices. Security is only as strong as the weakest link, and edge is determined to not even close one of the easiest links in the chain.
I will disagree on the RAM scanning being easier. It is my opinion that the weakest link here is the password store.
The security hole here is a password management system that can work without external secret. It is shocking that this is still common practice and that people use them.
Yeah, I can’t believe I’m defending Microsoft but that’s probably what they meant. No browser password saving feature is safe if your device is compromised.
“We value user safety and usability, but if you’re already compromised you can go fuck yourself”
No, if you are already compromised there is just no way anyone can help you anymore besides wiping your whole system.
True, but there’s a big fucking difference between handing over the keys without being asked, and doing basic fucking due diligence and not loading all your passwords in plain text into memory by default.
(@iglou@programming.dev ) I can’t defend MicroSlop because that mentality is pants on head stupid and is directly in opposition to any statement that they care about security. Because, again, they made their browser behave this way for no real reason besides blowing smoke up our ass. Chromium handles passwords properly, MicroSlop chose to do it insecurely and is hiding behind the dumbest defense. Because their OS has more holes than Swiss cheese and they refuse to plug a basic security hole that they put there intentionally.
Chrome’s handling is barely more secure. A compromised device will have a much easier time reading Chrome’s encrypted store than scanning your RAM to find passwords.
Remember that if you don’t need to input a password to open the store, then anything with access to your device can also read it.
Wether it’s encrypted in your RAM or not barely makes any difference in how difficult the task is.
The only solution is: Browsers should require a password. Or even better: Use a dedicated, properly secured password manager.
Regardless, they’re still loading them into memory in plain text, and knowing this exists, is going to be an easier task to grab than dealing with the encrypted store chromium uses. At least chromium uses the in built credential api to try to protect the secrets, the fact edge doesn’t is an egregious security hole.
I don’t disagree that users need to have to enter a password to view their stored passwords, but you’re hand waving a massive and intentional decrease in security on Edge’s part. No matter how easy it is to get out of another browser, this is a violation of basic secure development practices. Security is only as strong as the weakest link, and edge is determined to not even close one of the easiest links in the chain.
I will disagree on the RAM scanning being easier. It is my opinion that the weakest link here is the password store.
The security hole here is a password management system that can work without external secret. It is shocking that this is still common practice and that people use them.
Yeah, I can’t believe I’m defending Microsoft but that’s probably what they meant. No browser password saving feature is safe if your device is compromised.
Use a proper encrypted password manager