Cyber security researcher @L1v1ng0ffTh3L4N posted about the exploit on X, and says “Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
So not only does it do this, but Microslop went out of their way to create this behavior on purpose
Didn’t Microsoft insist on TPMs for Win11? Isn’t the whole point of them to hold keys out of system memory?
Its only to safeguard their own interests not the users
This really isn’t an issue. If someone is already on your computer and logged in, you are fully compromised already. If the passwords are stored in your browser then they can use those passwords to change your passwords as well.
Storm in a teacup, but “Microsoft bad” so this will do well here.
Maybe I’m dumb, but what would anything else protect against in the common scenarios?
If you have malware on your machine that exploits this, it could just monitor the edge process all the time and then get the master key during decryption anyways.
This makes it easier. The less sophisticated an attack is needed (reading from memory whenever you want vs. extracting the key during decryption), the more of an attack surface there is.
That’s especially a problem since Edge is based on Chromium, which has more careful handling of passwords by default. Microsoft had to actively change that to get the current behavior.
If you’ve already got malware on your machine that can exploit this, how or where the passwords in your browser are exposed is entirely irrelevant.
This is just another one of these non-issue “vulnerabilities” where your computer has to already be completely cracked wide open to be exploited.
You assume malware that comes from somewhere else and has full access to the entire system by the time it tries to attack the browser. If your default scenario is that the system has been completely compromised by arbitrarily complex malware, there’s no point in security measures at all because they’ve already failed by definition.
What about malware that runs inside the browser, e.g. after exploiting a vulnerability in the JS runtime? Peeking at the browser’s memory would be easier than breaking out of containment and obtaining control of the entire system. It would even be easier than obtaining control of the browser to a degree where you can access credentials without user intervention. Even if we assume that it’s as simple as reading the key from an easily found location and the credentials from another easily found location, that’s more work than just reading the credentials. And it becomes harder if the locations are less easily found.
Also, a defense doesn’t have to offer perfect protection in order to be worthwhile. It’s all a game of likelihoods; making an attack harder means it’s less likely to be done. Any additional step the attacker needs to take offers more protection because the attacker actually needs to take it. Microsoft actively worked to reduce the number of steps an attacker needs to take, which is worth calling out.
Defense in depth is important. Don’t insist that one single safety mechanism should protect against everything when layering them is known to be more effective.
In practice, most people’s chrome will have the key available in one form or another all the time anyways because most people don’t need to unlock their stored passwords every time they use one.
Not saying this isn’t dumb by MS, but it doesn’t open up a new attack vector.
It doesn’t open up a new vector, but it makes an obvious one MUCH larger.
Just uninstall Edge.
Just uninstall Windows.
Good advice. Luckily I use Linux as my primary OS.
deleted by creator
