(Credit: putrakurniawan78 via Shutterstock)
UPDATE 5/15: Amid backlash, Microsoft said it will "no longer load passwords into memory on startup.” The change is already available in the browser's Canary release, with the goal of rolling it out to all stable versions of Edge in the next update.
Original Story:
Microsoft's Edge is facing controversy after a security researcher discovered the internet browser will load stored passwords in plaintext in a computer’s RAM, paving the way for malware to fetch the login credentials.
Security researcher Tom Jøran Sønstebyseter Rønning flagged the problem in a video showing him using a simple tool to dump stored passwords in Edge using the command prompt with administrator privileges.
“When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” he warned, adding: “Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
However, Microsoft is pushing back on the report, saying the threat only arises if a hacker has control over the user’s PC, which could occur through a malware infection. “Access to browser data as described in the reported scenario would require the device to already be compromised,” the company said in a statement.
Still, Rønning questions why Microsoft doesn’t follow Google’s Chrome, which decrypts saved credentials “only when needed, instead of keeping all passwords in memory at all times," he said. "In contrast, Chrome will only decrypt the credential you need for autofill, when you need it, and it will be removed after."
It's also possible to dump passwords for multiple users if a hacker gains access to a Windows terminal server. In his video, Rønning noted the attacker is able to compromise a user account with administrative privileges to view the stored credentials for two other logged-on users.
However, Microsoft indicates that its current approach to loading stored passwords in Edge can improve the user experience. “Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats,” the company said. “Browsers access password data in memory to help users sign in quickly and securely—this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
That last part is a bit unsettling, though, and suggests Windows’ built-in security isn’t enough to protect the user, despite Microsoft's own recommendation.
The controversy has sparked debate, with some saying the danger is overblown because the threat vector requires hijacked admin access to a PC or server, which would expose the victim to all kinds of attacks, including password theft from other programs. But others have wondered why Microsoft doesn’t simply implement stronger security for password storage.
Vx Underground, a malware library service, noted that a malware infection could use Edge’s in-memory process to dump a user’s passwords on a home machine. “However, successfully using this method in an enterprise environment would be difficult to use. It would require administrative access and some security access tokens which would immediately raise some flags."
In the meantime, another security researcher, Rob VandenBrink, replicated the findings by going to Task Manager and using “Create Memory Dump” while the Edge browser was open on the PC. The resulting memory dump file included stored passwords. But again, this process requires local access to the PC.