Microsoft Edge Password Storage Vulnerability
A recent proof-of-concept exploit has revealed a significant vulnerability in Microsoft Edge, where the browser stores passwords in cleartext in process memory, even when not in use. This issue, discovered by security researcher Tom Jøran Sønstebyseter Rønning, poses a substantial risk to enterprise security, particularly in shared environments.
Exploiting the Vulnerability
An attacker with administrative privileges can exploit this issue to access Microsoft Edge user passwords, even when the browser is not active. Rønning explained that an attacker can access process memory via Citrix, virtual desktop infrastructure (VDI), or a Windows terminal server, allowing them to dump credentials and use them for malicious activities.
Rønning demonstrated the exploit in a proof-of-concept tool at the BIG Bite of Tech conference and posted the resources on GitHub. He noted that the issue is particularly concerning in shared corporate environments, where an attacker can access the memory of all logged-on user processes.
False Sense of Security
The vulnerability gives users a false sense of security, as they must enter a separate password to access their saved passwords in Edge. However, the cleartext storage issue can be exploited to access all Edge passwords, even when an Edge session is not active.
According to Danwei Tran Luciani, chief product technology officer at Detectify, the main risk is that the product signals one level of protection while operating at another. This mismatch increases the likelihood that a local breach will turn into credential exposure, effectively widening the blast radius.
'By Design': A Feature, Not a Bug?
Rønning reported the issue to Microsoft, who responded that the behavior is 'by design'. Edge is based on the open-source Chromium framework, but it is the only browser based on this framework that stores passwords in cleartext in process memory. In contrast, Chrome and other Chromium browsers use a design that makes it more difficult for attackers to extract saved passwords.
Microsoft's explanation for not using app-bound encryption (ABE) is that when you have administrator access, all bets are off. However, Rønning argues that ABE makes it easier to detect malicious activity necessary to break this protection.
Defending Against Browser Security Problems
Rønning advises organizations running Windows and using Edge as a default browser to set group policies to prevent Edge from storing passwords. For personal users, he recommends not using Edge at all, as this attack vector would be difficult to stop.
Luciani suggests that organizations reduce their reliance on the browser as a credential store and use dedicated, managed password solutions with stronger access controls. She also recommends limiting local and admin privileges and paying close attention to endpoint monitoring, especially for behaviors like memory scraping.
- Set group policies to prevent Edge from storing passwords
- Use dedicated, managed password solutions with stronger access controls
- Limit local and admin privileges
- Prioritize endpoint monitoring, especially for behaviors like memory scraping
By taking these steps, organizations can mitigate the risks associated with the Microsoft Edge password storage vulnerability and protect their users' credentials.
Source: Dark Reading