A security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup, making it easy for malware to scrape those passwords.
Maybe I’m dumb, but what would anything else protect against in the common scenarios?
If you have malware on your machine that exploits this, it could just monitor the edge process all the time and then get the master key during decryption anyways.
This makes it easier. The less sophisticated an attack is needed (reading from memory whenever you want vs. extracting the key during decryption), the more of an attack surface there is.
That’s especially a problem since Edge is based on Chromium, which has more careful handling of passwords by default. Microsoft had to actively change that to get the current behavior.
You assume malware that comes from somewhere else and has full access to the entire system by the time it tries to attack the browser. If your default scenario is that the system has been completely compromised by arbitrarily complex malware, there’s no point in security measures at all because they’ve already failed by definition.
What about malware that runs inside the browser, e.g. after exploiting a vulnerability in the JS runtime? Peeking at the browser’s memory would be easier than breaking out of containment and obtaining control of the entire system. It would even be easier than obtaining control of the browser to a degree where you can access credentials without user intervention. Even if we assume that it’s as simple as reading the key from an easily found location and the credentials from another easily found location, that’s more work than just reading the credentials. And it becomes harder if the locations are less easily found.
Also, a defense doesn’t have to offer perfect protection in order to be worthwhile. It’s all a game of likelihoods; making an attack harder means it’s less likely to be done. Any additional step the attacker needs to take offers more protection because the attacker actually needs to take it. Microsoft actively worked to reduce the number of steps an attacker needs to take, which is worth calling out.
Defense in depth is important. Don’t insist that one single safety mechanism should protect against everything when layering them is known to be more effective.
In practice, most people’s chrome will have the key available in one form or another all the time anyways because most people don’t need to unlock their stored passwords every time they use one.
Not saying this isn’t dumb by MS, but it doesn’t open up a new attack vector.
Maybe I’m dumb, but what would anything else protect against in the common scenarios?
If you have malware on your machine that exploits this, it could just monitor the edge process all the time and then get the master key during decryption anyways.
This makes it easier. The less sophisticated an attack is needed (reading from memory whenever you want vs. extracting the key during decryption), the more of an attack surface there is.
That’s especially a problem since Edge is based on Chromium, which has more careful handling of passwords by default. Microsoft had to actively change that to get the current behavior.
If you’ve already got malware on your machine that can exploit this, how or where the passwords in your browser are exposed is entirely irrelevant.
This is just another one of these non-issue “vulnerabilities” where your computer has to already be completely cracked wide open to be exploited.
You assume malware that comes from somewhere else and has full access to the entire system by the time it tries to attack the browser. If your default scenario is that the system has been completely compromised by arbitrarily complex malware, there’s no point in security measures at all because they’ve already failed by definition.
What about malware that runs inside the browser, e.g. after exploiting a vulnerability in the JS runtime? Peeking at the browser’s memory would be easier than breaking out of containment and obtaining control of the entire system. It would even be easier than obtaining control of the browser to a degree where you can access credentials without user intervention. Even if we assume that it’s as simple as reading the key from an easily found location and the credentials from another easily found location, that’s more work than just reading the credentials. And it becomes harder if the locations are less easily found.
Also, a defense doesn’t have to offer perfect protection in order to be worthwhile. It’s all a game of likelihoods; making an attack harder means it’s less likely to be done. Any additional step the attacker needs to take offers more protection because the attacker actually needs to take it. Microsoft actively worked to reduce the number of steps an attacker needs to take, which is worth calling out.
Defense in depth is important. Don’t insist that one single safety mechanism should protect against everything when layering them is known to be more effective.
In practice, most people’s chrome will have the key available in one form or another all the time anyways because most people don’t need to unlock their stored passwords every time they use one.
Not saying this isn’t dumb by MS, but it doesn’t open up a new attack vector.
It doesn’t open up a new vector, but it makes an obvious one MUCH larger.