Microsoft Edge: Passwords end up in memory as plaintext
The Edge password manager appears secure: encrypted storage, secured by Windows Hello. But plaintext is stored in memory.
(Image: heise medien)
Password managers are supposed to help store login credentials safely and securely, taking the “memorization work” off users. In addition, these practical helpers can transcend device boundaries and manage login data equally on smartphones, desktops, and laptops. Typically, they are stored end-to-end encrypted in the cloud. Passwords should also only be decrypted in memory for a short time. However, Microsoft's password manager in the Edge browser fails here.
Tom Jøran Sønstebyseter Rønning draws attention to the problem in a post on X. A simple test confirms the vulnerability. With the password manager enabled in Microsoft Edge, we created an account with the password “Klartext-PW-Test.” To view, retrieve, or change this data, Microsoft Edge requires authentication with Windows Hello. This makes the data appear well protected.
For verification, we closed the browser and restarted Microsoft Edge. Edge then only displayed its start page. Now, a memory dump of the browser can be created using the Task Manager. Around 670 MB ended up on the drive. Inside, a simple search with a hex editor for “Klartext” returned the entire “Klartext-PW-Test” password – the password wasn't even used yet, but it was in plaintext in memory.
Insecure Password Handling
This kind of handling of passwords in process memory has not been state-of-the-art for a long time. According to common security concepts, passwords should only be decrypted at the time of use and deleted from memory very shortly thereafter. The fact that Microsoft even loads all passwords into memory, even though the websites on which they are used have not even been visited, is also a blatant anachronism. This falls under its vulnerability category: CWE-316, “Cleartext Storage of Sensitive Information in Memory.” Microsoft should rectify this quickly. However, Itavisen.no reports that Rønning received a response from Microsoft regarding the vulnerability report, stating that it was a conscious design decision and intentional. Users should therefore look for other password managers for security.
Videos by heise
In its password manager test last December, the Federal Office for Information Security (BSI) explicitly excluded the Microsoft Edge password manager. However, a test of VPN software and password managers in August 2024 also found such vulnerabilities in some products.
(dmk)
