A recent discovery by a security researcher has shed light on a significant vulnerability in Microsoft Edge. The browser has been found to decrypt all stored passwords into cleartext in its process memory as soon as it launches. This occurs regardless of whether the user accesses the websites associated with those passwords.
Security Research Findings
Revealed by PaloAltoNtwks Norway at BigBiteOfTech on April 29, the flaw was identified by researcher @L1v1ng0ffTh3L4N. The researcher examined the credential memory handling of major Chromium-based browsers, uncovering that Edge uniquely loads its entire password vault in plaintext at startup and retains it throughout the session.
In contrast, Google Chrome practices on-demand decryption, activating credentials only when required for autofill or user access. Chrome also employs App-Bound Encryption, tying decryption keys to authenticated Chrome processes, thereby securing credentials from unauthorized access.
Implications of the Vulnerability
Edge’s approach leaves every saved credential exposed in the browser’s process memory, creating a broad avenue for credential extraction by any malicious actor capable of accessing this memory. This vulnerability starkly contrasts with Edge’s user interface, which demands re-authentication before displaying passwords, offering a false sense of security.
The risk elevates substantially in environments like Remote Desktop Services or terminal servers, where an attacker with admin rights can exploit this flaw to read all user processes simultaneously. A proof-of-concept video demonstrated the extraction of credentials from other users, including those with disconnected sessions, by merely accessing Edge’s process memory.
Microsoft’s Response and Recommendations
Upon notification, Microsoft stated that the behavior is ‘by design,’ acknowledging in public documentation that credentials in memory may be accessed under certain local attack conditions. The company categorizes these scenarios as beyond the threat model of the browser.
Accompanying the disclosure, an educational tool was released to help users verify if their Edge browser holds cleartext credentials. This tool aims to raise awareness and encourage verification of the issue.
Security professionals managing environments where Edge is deployed, especially in shared or multi-user systems, should treat this as a significant configuration risk. Until Microsoft revises its design, migrating to browsers with stronger security measures, such as on-demand decryption and App-Bound Encryption, is advised.
For those interested in aligning their endpoint security with evolving requirements, a free webinar is available for registration.
