Mastodawn

Holy shit, Microsoft. Whoever made this decision should be fired. Into the Sun.

https://lemmy.world/post/46435614

#infosec #facepalm #clowncar

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them; Microsoft will not fix, says the behavior is "by design" - Lemmy.World

Hacker News [https://news.ycombinator.com/item?id=48012735]. > When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials. > > At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext. > > Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory. > > It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys. > > Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments. > > If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on > > (or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is “by design”. They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions > > about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway Simple, educational proof of concept [https://github.com/L1v1ng0ffTh3L4N/Proof-of-Concepts/tree/main/EdgeSavedPasswordsDumper], to show that the passwords are stored in cleartext in memory. Source [https://farside.link/nitter/L1v1ng0ffTh3L4N/status/2051308329880719730].

these machines will destroy US.May 4

@kaidenshi “by design”

@cienmilojos yep. "You will be pwned by script kiddies and skilled adversaries alike, by design, and you will like it" ~ Microchud

Jargoggles May 5

@kaidenshi
This is probably unrelated, I'm sure - https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-as-30percent-of-microsoft-code-is-written-by-ai.html

Satya Nadella says as much as 30% of Microsoft code is written by AI

Microsoft CEO Satya Nadella on Tuesday said that as much as 30% of the company's code is now written by artificial intelligence.

CNBC

I am Jack's Found 404 May 5

@jargoggles @kaidenshi

Ah yes, Intelligent Design 🤣

Microplastics101 May 5

@kaidenshi Wait. People actualy use Edge?

Biggles 20X6!May 5

@kaidenshi hahaha "we're taking security seriously"
Fuck off Satya, no you're not.

NosirrahSec 🏴‍☠️ guillotine enthusiast May 5

@kaidenshi "by design" 😒

@kaidenshi holy shit

@kaidenshi all browsers expose your saved passwords in memory. Any obfuscation the browser can undo without input can undone fairly easily.

If it makes you feel any better by the time someone gets that memory access, your system is always thoroughly pwned.

@KF0UNK the difference is that other browsers only expose the one password you request at that moment and only for as long as it takes for you to log in to the service you need it for. Edge decrypts and stores all your passwords in plaintext in memory as soon as it launches and keeps them there until you close the browser. It’s a night and day difference.

I'm just saying that from a security model I consider anything in the browser password cache to be insecure.

I shared this reply because I have researched this in the past and my finding was that I should generally assume all the passwords in any browser are compromised if the adversary has memory access.

Like, okay it's technically better to not leave them in plaintext but it doesn't change the security model in general.

David Chisnall (*Now with 50% more sarcasm!*)May 6

@kaidenshi @KF0UNK

Not really.

Edge: The passwords are in memory, an attacker who can dump memory can read them.

Chrome: The passwords are encrypted, but the decryption key is in memory. An attacker who can dump memory can read the decryption key and read them.

Both models are vulnerable to the exact same set of attacker capabilities. From a threat-model perspective, they are not different.

If your threat model is ‘administrators on the system must not see my passwords’ then you have problems that cannot be solved on conventional operating systems on conventional hardware.

@david_chisnall @KF0UNK I'm curious as to how Firefox does it (including forks). Do you have any insight into that? I'd assume it's similar to Chrome's approach but I really have no idea.

David Chisnall (*Now with 50% more sarcasm!*)May 6

@kaidenshi @KF0UNK

It's been ages since I looked at Firefox's password storage and that was before they moved to a multi-process architecture. Back then, a JavaScript sandbox escape could leak all passwords.

From a quick skim of their docs, they encrypt the passwords on disk. It looks as if protecting the key that they're encrypted with from an attacker with local filesystem access requires you to set a primary password (which is presumably hashed and fed to a KDF to generate the keys), but that key will be in memory for at least one process.

@david_chisnall @kaidenshi

FWIW my opinion on this was from like a whole infosec podcast episode breaking down how insecure this is everywhere and the implications for the threat model.

Always use MFA and favor external password managers for anything critical, but like I have MFA for things and don't sweat the plaintext (random single use) password for each account being in a browser session.

@david_chisnall @kaidenshi

I think of the password as special a knock on the door to get you into the process of MFA basically.

John Carlsen 🇺🇸🇳🇱🇪🇺May 5

"Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them; Microsoft will not fix, says the behavior is 'by design'"

Wow.

That's some Microsoft-level bullshit right there.

@kaidenshi So not even script kiddies need apply... just an operator too dumb to trust Edge.

Microsoft, handing the blue team on a silver platter.

❤️ It's Gonna Be Maystodon 💚May 5

Roberto22 May 5

@kaidenshi some choose to use the TPM chip and some load it into memory both chromium different name

Moses Izumi May 5

@kaidenshi
* whoever made this decision should go the way of Sun Microsystems (Larry Ellison cooks him, eats his hand and throws away the leftovers)

Old Fucking Punk May 5

@kaidenshi It appears that lemmy.world is yet another site where #CloudFlare (#ClownFlare) will refuse to let you in from Gnome Web (browser) on mobile Linux. :-(

Shadowbottle May 5

@kaidenshi @gregatron5 I don’t know, kinda feels like that’s what you get for using edge, and contributing to the death of all non-chromium based browsers. ¯\_(ツ)_/¯

@kaidenshi Two years, two days.

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/

Loren Kohnfelder May 6

@adamshostack @kaidenshi
Tell me you don't know or don't care about security without telling me you don't know or don't care about security.
This reminds me of the ".NET" v1 release: we invested in Code Access Security (making least privilege very easy to implement) and the Dev Division apps explicitly asserted full privilege on start up and never reduced it. The just make it work, security be damned culture lives on.
And they must have known what they were doing since they announced: "To increase security awareness, 95% of employees have completed the latest training on guarding against AI-powered cyberattacks, ... to improve security awareness. " [https://www.microsoft.com/en-us/security/blog/2025/11/10/securing-our-future-november-2025-progress-report-on-microsofts-secure-future-initiative/]
Saddest of all: hardly any customers will jump ship, if they even notice.

Latest progress update on Microsoft’s Secure Future Initiative | Microsoft Security Blog

Read more about the key updates and milestones of Microsoft's Secure Future Initiative in the November 2025 SFI progress report.

Microsoft Security Blog

Dr. Bruce Simpson May 6

@kaidenshi and if you loved that you'll love this https://github.com/PowerShell/Win32-OpenSSH/issues/1487#issuecomment-2894953357

ssh-agent: permanent loaded ssh-key storage · Issue #1487 · PowerShell/Win32-OpenSSH

"OpenSSH for Windows" version 7.7.2.2 Server OperatingSystem Irrelevant Client OperatingSystem Windows 10 Home (18362.418) The problem I am using private SSH-keys encrypted with a passphrase. When ...

GitHub