It has been pointed out that Microsoft Edge stores passwords in plain text in memory.



Cybersecurity researchers have discovered and pointed out that Microsoft Edge, the web browser included with Windows, stores saved passwords in plain text in memory.

Researcher Finds Microsoft Edge Stored Passwords Load in Plaintext | PCMag

https://www.pcmag.com/news/researcher-finds-microsoft-edge-stored-passwords-load-in-plaintext

The observation was made by Norwegian researcher Tom Göran Sonsteviseter Rönning. The video evidence presented by Rönning is as follows:



Ronning launched his own program, 'EdgeSavedPasswordDumper.exe'.



After waiting a few seconds, the passwords that tstark had saved were displayed.



Furthermore, maryjane's password was also compromised. This indicates that the attacker compromised an account with administrator privileges and was able to view the credentials stored for the two logged-in accounts.



According to Ronning, Microsoft Edge decrypts all stored credentials upon startup and keeps them resident in process memory. This happens even if you never access any sites that use those credentials.



Edge's password manager prompts for re-authentication when displaying passwords, but in reality, the browser process already has the password stored in plain text.



Edge, like Chrome, is a Chromium-based browser, but this issue has only been confirmed in Edge among Chromium-based browsers, and Chrome is not designed in a way that allows an attacker to extract passwords simply by reading process memory.



Microsoft, however, counters that accessing data in the scenario described by Ronning would require the PC to have already been compromised.

Related Posts:

in Video,   Software,   Security, Posted by logc_nt