Microsoft Edge writes passwords to memory in cleartext: a gift for attackersMicrosoft Edge writes passwords to memory in cleartext: a gift for attackers.
Microsoft Edge “by design” decrypts and loads all saved user passwords into memory, where they remain in cleartext throughout the session. This makes credential harvesting easier for attackers, a security researcher warns. However, if a hacker is in a position to read from your memory, the user already has big problems.
Security researcher Tom Jøran Sønstebyseter Rønning discovered a unique Microsoft Edge behavior: on startup, the browser loads all saved passwords into memory and keeps them in cleartext for the entire duration of the session.
“This happens even if you never visit a site that uses those credentials,” the researcher posted on X.
“Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
“This happens even if you never visit a site that uses those credentials,” the researcher posted on X.
“Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
This makes it easier for attackers to extract saved passwords by reading process memory.
Chrome, for example, only decrypts a password when it is needed and also uses Application-Bound Encryption feature as an additional defence against information theft, which locks the keys to an authenticated Chrome process, running as SYSTEM. Therefore, passwords only briefly appear in plain text during autofill, or when users view them.
The researcher warns that an attacker with administrative access on a terminal server can access memory of all logged-on user processes. The proof of concept demonstrates that hackers could access user passwords of other users even while Edge is running.
“I reported this to Microsoft, and the official response was that the behavior is ‘by design.’ They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions,” the researcher concluded.
Still, exploiting this bug requires administrative privileges on the system, which can already be considered a full compromise. Security experts on Hacker News noted that administrative access can be abused to extract passwords from any browser
Chrome, for example, only decrypts a password when it is needed and also uses Application-Bound Encryption feature as an additional defence against information theft, which locks the keys to an authenticated Chrome process, running as SYSTEM. Therefore, passwords only briefly appear in plain text during autofill, or when users view them.
The researcher warns that an attacker with administrative access on a terminal server can access memory of all logged-on user processes. The proof of concept demonstrates that hackers could access user passwords of other users even while Edge is running.
“I reported this to Microsoft, and the official response was that the behavior is ‘by design.’ They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions,” the researcher concluded.
Still, exploiting this bug requires administrative privileges on the system, which can already be considered a full compromise. Security experts on Hacker News noted that administrative access can be abused to extract passwords from any browser
Microsoft Edge在啟動時會把密碼管理器裡儲存的所有密碼載入到記憶體中,而且是以明文未加密的形式存在記憶體裡,即使你沒有登入使用這些需要密碼自動填入的網站,而且在Edge被關閉前都會一直存在記憶體裡。研究人員警告說,取得管理員權限的駭客可以存取已登入使用者的進程記憶體,只要Edge瀏覽器正在運行,駭客就可以獲得用戶Edge瀏覽器裡的密碼。
對比Chrome只在需要填入密碼時才會取出密碼,Chrome會將密鑰鎖定在以SYSTEM權限執行的已認證Chrome進程中,並且用綁定加密功能作為額外的防盜措施,密碼只會在自動填入或使用者檢視時才會暫時以明文顯示。輸入完就會從記憶體裡清除。
該研究人員總結:「我已將此事報告給微軟,官方回應稱這種行為是『有意為之』。微軟他們已經被告知,我將出於負責任的態度分享此事,以便用戶和微軟能夠做出明智的決定,」
Hacker News 上的安全專家指出,此風險只需要取得系統管理員權限就能被利用,從而竊取瀏覽器中密碼。
這件事剛在國外炒起來,目前網上的討論二派意見分岐,一派認為這是正常設計,一派認為這是高風險行為。
雖然瀏覽器的密碼管理和自動填入很方便,但只要密碼管理器設計有問題就可能會外洩你的密碼或信用卡資訊,大家儘量不要把重要的密碼、信用卡資訊、身份相關資料等交給瀏覽器做管理和自動填入,以免被漏洞風險外洩。
電梯
