A Norwegian researcher has identified an issue with Microsoft Edge’s Password Manager that could be a serious concern for businesses.
Tom Jøran Sønstebyseter Rønning found that passwords are being saved within the browser in plain text, with the effect that any PC, particularly a shared machine, within an organization is a potential risk.
In a post on X, Rønning explained that when users save passwords in Edge, the browser decrypts every credential at startup and keeps it resident in process memory, regardless of whether the user visits the site.
Rønning’s finding was replicated by German IT publication Heise.de, which created and saved a password and found that, even after the browser had been closed and re-opened, the password could be found in plain text.
Microsoft has been nonchalant about the discovery. It said, “Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application.”
Rønning published a simple tool on GitHub that enables people to see for themselves that passwords are stored in plain text in memory.
Microsoft dismissed the significance of the passwords’ visibility, saying, “Access to browser data as described in the reported scenario would require the device to already be compromised.”
David Shipley, CEO of Beauceron Security, is not impressed with Microsoft’s response. “No, it’s not a feature. That’s an easy way to cop out of responsibility. It’s almost as bad as when firms say ‘working as designed.’ The point here, as with similar shortcomings, is convenience, speed, and avoiding investing more effort into something that they feel isn’t worth mitigating,” he said.
The bug is an open invitation to cyber criminals, said Shipley. “The old argument is that if malware gains persistence then it doesn’t make a difference, you’re in trouble anyway. It’s waving the white flag at cybercriminals and turning that white flag into a blank check for info stealers.”
Other browsers don’t suffer from the issue. For example, Google Chrome, in line with security industry recommendations, offers a system called App Bound Encryption that encrypts browser data and ensures that it is not stored in process memory in plain text.
It is not a foolproof system; it has been broken in the past, but by determined hackers. The Microsoft bug, on the other hand, requires little skill to exploit.
Shipley said that if Google can do a better job of securing its browser, there is no reason why Microsoft couldn’t do so with Edge. “It’s clearly not a technical hurdle. It’s a motivational one, which shouldn’t surprise anyone because Microsoft is giving away the browser. You don’t pay for it, so why should they care about locking it down more than the bare minimum?“
Given Microsoft’s attitude, users may well want to look for another password manager, something that would be more secure.
This article has been updated with a response from Microsoft. It originally appeared on Computerworld.