I'm guessing not a state actor. They already have enough other backdoors that Microsoft already put in for them, and plaintext is just too obvious even for them.

My bet is that this is just one more example in the already giant collection demonstrating Microsoft's utter incompetence around good engineering, robust security, and properly testing products before releasing them.

I doubt it's AI slop.

Edge has been storing passwords long enough that I assume the password manager code predates AI coding.

Place your bets....state actor or AI slop?

MS. is AI slop.

MS is a state actor.

Given that Edge is just a Chrome skin, it seems like they must have gone out of their way to remove the protection Chrome has and replace it with their own worse version.

It'd be a lot harder to find a (probably hashed) master password sitting in RAM, since it would look just like random bytes, than plaintext passwords. And you could surround the hashed master password with lots of other random bytes to make it even harder to find.

I'm not familiar with the exact implementations, but it's actually not hard to imagine a scenario where 1 is needlessly vulnerable, and 1 is not.

For the "secure" model,

What immediately comes to mind is a multi-process design (which I know that Chrome does use, but not to what extent).

The ability to read/decrypt passwords would be kept in a separate process from whatever handled rendering the website and runnings its javascript (since that's the most exposed to security challenges).

The head process woul

Not deleting the password from memory is where Edge ultimately exposes itself excessively compared to competition. This is what happens when you have programmers that only think in terms of a Turing machine abstraction, versus doing practical threat modeling.

> If an attacker has enough control of your machine to dump the password database, they have enough control

Er, I meant if they have enough control to dump RAM. Thinko because what I was thinking is that if they can dump RAM they can dump your password database, too (unless user authentication is in the loop and that authentication relies on secrets not in the device).

> I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here. It's hard to come up with a practical threat model which Edge would fail but Chrome or Firefox or any other browser with a built-in password manager would meet, unless the browser required authentication for every password retrieval.

Chrome does require authentication for every password retrieval. It uses Windows Hello as well so in theory you don't even have a password to intercept since something like facial recognition authentication via a FIDO2 handshake is what ultimately allows Chrome to fill a single password on a single site.

Microsoft is sort of right, but in other ways very wrong. The scope of this is huge. There's a big difference between malware getting my Slashdot password when I log into Slashdot, and malware getting my banking password when I log into Slashdot.

It shows that for Microsoft, security is an afterthought rather than a priority, with the obvious result that Microsoft software is not secure.

RAM plaintext passwords mean that any programmer mistake could expose them to the world. If they don't exist in RAM (Chrome's way), they're impossible to expose.

> I'd love to trash Edge, but it's hard to argue against Microsoft's analysis here

i think you don't get the irony. this is the company that campaigned furiously for the necessity of tpm for consumer devices ...

you couldn't make this shit up, brought to you by "closed proprietary sofware".

then again, decrypting an entire password list and leaving it around in memory for no reason is totally unacceptable practice. it's flabbergasting. you access sensible information only when needed and dispose of it after use, and even zeroing the memory should be par for the course. this is basic hygiene in any context.

both the pretext of "efficiency" and completely disregarding "defense in depth" are just laughable, even moreso if the information is as sensible as passwords no less, and agument "incompetency" to "pathetic clown level incompetency".

Been trying to figure out how Chrome does this because my recollection was that Chrome had the exact same problem - I remember making a similar point to you in forum threads a couple years back with people complaining about it then.

It looks like in 2024, Chrome [1]added support [googleblog.com] for something called the Data Protection API ( [2]DPAPI [microsoft.com]), which provides some mitigation against arbitrary memory reads:

> App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app's identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail.

> Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app. Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing. This makes their actions more suspicious to antivirus software â" and more likely to be detected

It's not clear from my quick read if this defends against this class of "attack" in all cases but it reads like it migh

[1] https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html

[2] https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection

> unless the browser required authentication for every password retrieval.

It would be much safer if the browser requires authentication for each site. Generally most users are not opening new sites every second. A possible threat is the one in the summary.

> If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords unless every retrieval requires user authentication in the loop -- which would be pretty annoying, which is why they don't do that.

The whole point is an attacker dumping the encrypted password database does little as it is encrypted. Chrome and other password manages only decrypts one password at a time. Even if an attacker exposes that password, all the other passwords are safe.

> Still, if it were me writing the code, I'd do it Chrome's way, just because leaving secrets sitting around in plaintext in RAM makes me uncomfortable.

To me, the Edge way is just laziness. It is also less efficient by storing eve

> If an attacker has enough control of your machine...

Not a plot-twist. Microsoft is the attacker or aiding and abetting someone that is. You are evaluating the world as if rules of conduct still exist anywhere among the ruling class.

Agreed. A while back, I had a security training that mentioned that passwords should always be stored in the stack and never in the heap. Which would result in what Chrome is doing. In fairness, if the password needs to be passed in plain text to the website, then it needs to exist in memory, in plain text, at some point. Still, it's silly to permanently keep all of them in plain text in the heap. Maybe a good car analogy is leaving your door unlocked at all times Vs unlocking it just when entering the vehi

> If an attacker has enough control of your machine to dump the password database, they have enough control to get it to retrieve the plaintext passwords

Not true.

An attacker may have a limited window. He might exploit some other vulnerability to do some operation with privileged access rights, but not have an admin shell.

Thankfully not a windows user, but if passwords are in memory and you ran a claw bot wouldn't Claude be able to just find your passwords in memory or from a core dump? Whereas if they are hashed on disk and hopefully not kept around, no?

Right now it requires privileged access to a machine. Someone is likely to figure out a way to side step that requirement. However in the current form, an IT admin could steal another employee's credentials.

It is definitely a potential vector, albeit a low risk one and not one the majority have any need to be concerned over. HOWEVER, given they were one of the big pushers for secure storage and management of credentials this sets a horrible precedent and they should know better.

No, they'll be promoted. The ability to lie with a straight face is a highly sought after business skill.

Nevermind, just read the rest of the summary