Microsoft Edge: Passwörter landen als Klartext im Speicher
https://www.heise.de/en/news/Microsoft-Edge-Passwords-end-up-in-memory-as-plaintext-11281576.html
Microsoft Edge: Passwörter landen als Klartext im Speicher
https://www.heise.de/en/news/Microsoft-Edge-Passwords-end-up-in-memory-as-plaintext-11281576.html
26 Kommentare
Why does this company suck at so many basic things?
Fucking lol, I swear this was a problem on like Windows 98. Here we are almost 30 years later.
And payment information? Is it all the autofill stuff I knew I should never utilitize?
Hey Copilot, is that bad?
are you shitting me? You arent even doing the browser anymore. Your building off someone elses base and you screw that up too. What in the ever loving shit is this company doing
The important question – can websites or other innocent programs access anything in memory?
Microsoft is doing absolutely everything in their power to increase Linux adoption
> Itavisen.no reports that Rønning received a response from Microsoft regarding the vulnerability report, stating that it was **a conscious design decision and intentional.**
Amazing. Well, done MicroSlop.
Maybe this is not best practice, but if something has access to read all your memory you probably already have other big security issues
I wanted to read this but I got a really obnoxious cookie selection popup that didn’t let me opt out, so no.
Wait, that’s not just a program preloaded onto your windows machine to download Firefox? No way.
But Edge is Chromium based. Which has password saving already….
Sooo is that not within the open source part? Did they just ignore that bit and implement their own badly? Does chrome also suffer from this?
OK, isn’t that just how textboxes work?
Yep, that’s how computers work.
Is this not the case with other browsers?
Edit: read the article. Browsers are supposed to decrypt them on use and delete them from memory afterwards. Edge however keeps all the passwords decrypted in memory all the time.
Here is an associated link to this article that shows a report from 2024 about some password managers and this type of security vulnerability:
https://www.secuvera.de/blog/studie-klartextpassworter-in-passwortspeichern/
Glad I’ve replaced every single Microsoft product I used to use.
Fun fact: my passwords are also stored in plain text in my head.
People are freaking out with absolutely no secure engineering experience.
Of course passwords are unencrypted in the process memory — because encrypted passwords in memory is just security theater. If it’s „encrypted“, the key has to be there. If the key is there, they might as well be plain text. Encryption at rest is important, but with passwords, you have to be able to decrypt them to use them. (This is, of course, why everyone — including Microsoft — is trying to get everyone to stop using them!)
If you have access to process memory, you have no security anyway. You’re behind the security barrier *by definition*. You protect things behind the barrier with the barrier. That’s why it exists.
And, bad news for anyone up in arms about it — your browser extensions doing 3rd party password management are far less secure. They need the password store decrypted during us and have to be outside the security barrier that isolates the HTML engine from the hosting process.
I’d love to read but I’m not accepting their cookies and trackers just because I don’t want to subscribe
This isn’t an Edge-only issue.
Passwords appearing in memory while unlocked is how all password managers work — they have to decrypt into RAM to autofill. Studies (incl. secuvera) show this happens across major managers like 1Password and Bitwarden too.
Also, this type of attack requires full access to your machine — at that point, you’ve got bigger problems.
According to the article, they;
– Created a new password in Edge while using the built-in password manager
– Completely closed the browser
– Re-launched the browser and took a memory dump using Task Manager
The password saved was available in the memory dump without the associated website ever being loaded in the new session. So this would imply that *all* saved passwords are loaded into memory when Edge is launched, and as plaintext.
This isn’t like the craziest exploit to have (an attacker would need to already be pretty deep in system permissions to get to this point) but it doesn’t really reflect well either. I assume all passwords are loaded because the password manager gets them from the cloud, but if they’re going to be stored the entire time they really *ought* to be encrypted.
Just vibe code a solution for this and implement it with some new AI features. problem solved. I dont see what you nerds are so upset about. /S
Clippy would have never allowed this
Overstated. If someone has access to profile your memory, they have access to everything anyway.
“a response from Microsoft regarding the vulnerability report, stating that it was a conscious design decision and intentional. Users should therefore look for other password managers for security” jeez