As reported by HackRead, security expert Tom Jøran Sønstebyseter Rønning has raised significant security concerns regarding Microsoft Edge's password management feature. The browser reportedly converts saved passwords into plaintext within the computer's memory as soon as the application launches, making them vulnerable to unauthorized access.Rønning demonstrated at the Big Bite of Tech 26 event that Edge is unique among tested browsers in this behavior. Unlike Google Chrome, which utilizes App-Bound Encryption (ABE) to secure passwords, Edge stores them in an easily readable format. This means any user with administrative or SYSTEM-level access can potentially view these plaintext passwords. Rønning developed a tool, EdgeSavedPasswordsDumper, available on GitHub, to prove how easily attackers or infostealers can scan browser process memory for these credentials. This poses a particular risk in shared environments like terminal servers, Citrix, or VDI, where an attacker with administrative rights could access the data of multiple logged-in users.Microsoft has stated this is by design, balancing speed and security, and believes a compromised system capable of memory scanning is already a severe security breach. However, experts like Craig Lurey of Keeper Security and Morey Haber of BeyondTrust criticize this approach, emphasizing that plaintext passwords in memory are a significant liability and easily compromised, recommending separate password managers as a safer alternative.Source: HackRead
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds





