A Norwegian researcher has identified an issue with Microsoft Edge’s Password Manager that could be a serious concern for businesses.
Tom Jøran Sønstebyseter Rønning found that passwords are being saved within the browser in plain text, with the effect that any PC, particularly a shared machine, within an organization is a potential risk.
In a post on X, Rønning explained that when users save passwords in Edge, the browser decrypts every credential at startup and keeps it resident in process memory, regardless of whether the user visits the site.
Rønning’s finding was replicated by German IT publication Heise.de, which created and saved a password and found that, even after the browser had been closed and re-opened, the password could be found in plain text.
Microsoft has been nonchalant about the discovery. Norwegian website Itavisen.no said, “Rønning reported the discovery to Microsoft, and according to the company, the behavior is ‘by design’.”
Itavisen.no further said that Rønning plans to publish a simple tool on GitHub that allows people to see for themselves that passwords are stored in plain text in memory.
Microsoft did not respond to a request for comment.
David Shipley, CEO of Beauceron Security, is not impressed with Microsoft’s response. “No, it’s not a feature. That’s an easy way to cop out of responsibility. It’s almost as bad as when firms say ‘working as designed.’ The point here, as with similar shortcomings, is convenience, speed, and avoiding investing more effort into something that they feel isn’t worth mitigating,” he said.
The bug is an open invitation to cyber criminals, said Shipley. “The old argument is that if malware gains persistence then it doesn’t make a difference, you’re in trouble anyway. It’s waving the white flag at cybercriminals and turning that white flag into a blank check for info stealers.”
Other browsers don’t suffer from the issue. For example, Google Chrome, in line with security industry recommendations, offers a system called App Bound Encryption that encrypts browser data and ensures that it is not stored in process memory in plain text.
It is not a foolproof system; it has been broken in the past, but by determined hackers. The Microsoft bug, on the other hand, requires little skill to exploit.
Shipley said that if Google can do a better job of securing its browser, there is no reason why Microsoft couldn’t do so with Edge. “It’s clearly not a technical hurdle. It’s a motivational one, which shouldn’t surprise anyone because Microsoft is giving away the browser. You don’t pay for it, so why should they care about locking it down more than the bare minimum?“
Given Microsoft’s attitude, users may well want to look for another password manager, something that would be more secure.