Microsoft Edge’s Password Management Poses Significant Security Risks
A recent security analysis has revealed a critical vulnerability in Microsoft Edge’s password management system. Unlike other Chromium-based browsers, Edge decrypts and stores all saved user passwords in cleartext within the browser’s process memory immediately upon launch, maintaining them in this unprotected state throughout the session. This practice exposes users to potential credential theft, especially in environments where multiple users share the same system.
Discovery of the Vulnerability
The vulnerability was identified by security researcher @L1v1ng0ffTh3L4N, who conducted a comprehensive examination of how major Chromium-based browsers handle stored credentials. The findings indicated that Microsoft Edge is unique in its approach, as it decrypts the entire password vault into plaintext process memory at startup and retains this information for the duration of the session. This behavior contrasts sharply with browsers like Google Chrome, which decrypt passwords on-demand—only when required for autofill or when a user explicitly views a saved password. Chrome further enhances security by implementing App-Bound Encryption, which ties decryption keys to an authenticated Chrome process, thereby preventing unauthorized access by other processes.
Implications for User Security
The immediate decryption and storage of passwords in cleartext by Edge significantly increase the risk of credential theft. Any malicious actor with the capability to read the browser’s process memory can access all stored passwords without needing additional authentication. This vulnerability is particularly concerning in shared computing environments, such as Remote Desktop Services (RDS) or terminal servers, where an attacker with administrative privileges can extract credentials from multiple users simultaneously.
In a proof-of-concept demonstration, a compromised administrator account was used to extract stored credentials from other active user sessions by reading the Edge browser’s process memory. This scenario aligns with the MITRE ATT&CK technique T1555.003, which involves extracting credentials from web browsers.
Microsoft’s Response
Upon disclosure of the vulnerability, Microsoft responded by stating that this behavior is by design. The company’s public documentation acknowledges that credentials stored in browser memory can be accessed under local attack conditions but considers such scenarios outside the browser’s threat model. This stance has raised concerns within the cybersecurity community, as it suggests a lack of immediate plans to address the vulnerability.
Broader Context of Browser Security
This discovery adds to a series of security challenges associated with web browsers. For instance, a vulnerability in Microsoft Edge allowed attackers to install malicious extensions without user knowledge, leading to potential data theft and privacy invasions. Similarly, the T1555.003 technique enables adversaries to extract usernames and passwords directly from web browsers, posing significant threats to both personal and enterprise accounts.
Recommendations for Users
Given the current state of Microsoft Edge’s password management, users are advised to take proactive measures to safeguard their credentials:
1. Utilize Third-Party Password Managers: Employ reputable password management tools that offer robust encryption and security features, reducing reliance on browser-based password storage.
2. Enable Multi-Factor Authentication (MFA): Implement MFA across all accounts to add an extra layer of security, making it more challenging for attackers to gain unauthorized access.
3. Regularly Monitor Account Activity: Stay vigilant by routinely checking account activities for any unauthorized access or anomalies.
4. Keep Software Updated: Ensure that all software, including browsers and security tools, are up to date to benefit from the latest security patches and features.
Conclusion
The revelation of Microsoft Edge’s practice of storing decrypted passwords in cleartext process memory underscores the importance of robust password management and the need for users to remain vigilant about their digital security. While Microsoft considers this behavior to be by design, the cybersecurity community continues to advocate for enhanced security measures to protect users from potential threats.
