Cybersecurity

9930 readers

187 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

335

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them; Microsoft will not fix, says the behavior is "by design" (video.twimg.com)

submitted 3 days ago by Deep@mander.xyz to c/cybersecurity@sh.itjust.works

14 comments fedilink hide all child comments

Hacker News.

When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.

At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.

Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.

It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.

Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.

If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on

(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is "by design". They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions

about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway

Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.

Source.

you are viewing a single comment's thread
view the rest of the comments

[–] Romkslrqusz@lemmy.zip 9 points 2 days ago (1 children)

Not really the same, but unless a user has set a Primary / Master Password someone can copy and paste Firefox’s profile data (e.g from Windows Appdata) to another machine or user account and have access to all the saved passwords. If the user was signed in with a Mozilla account, it even maintains that login session.

It’s been this way for over 10 years, easy target if the disk is unencrypted or a scam artist has coerced someone into the ‘remote control’ phase of their scam.

[–] BagOfHeavyStones@piefed.social 1 points 2 days ago

I think that used to work for Chrome as well, but I think it didn't work last time I tried.