Identity

Microsoft Edge password saving practice raises security concerns

Start Microsoft Edge app on windows os in screen macro close up view

As reported by HackRead, security expert Tom Jøran Sønstebyseter Rønning has raised significant security concerns regarding Microsoft Edge's password management feature. The browser reportedly converts saved passwords into plaintext within the computer's memory as soon as the application launches, making them vulnerable to unauthorized access.

Rønning demonstrated at the Big Bite of Tech 26 event that Edge is unique among tested browsers in this behavior. Unlike Google Chrome, which utilizes App-Bound Encryption (ABE) to secure passwords, Edge stores them in an easily readable format. This means any user with administrative or SYSTEM-level access can potentially view these plaintext passwords. Rønning developed a tool, EdgeSavedPasswordsDumper, available on GitHub, to prove how easily attackers or infostealers can scan browser process memory for these credentials. This poses a particular risk in shared environments like terminal servers, Citrix, or VDI, where an attacker with administrative rights could access the data of multiple logged-in users.

Microsoft has stated this is by design, balancing speed and security, and believes a compromised system capable of memory scanning is already a severe security breach. However, experts like Craig Lurey of Keeper Security and Morey Haber of BeyondTrust criticize this approach, emphasizing that plaintext passwords in memory are a significant liability and easily compromised, recommending separate password managers as a safer alternative.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds