Microsoft Edge stores saved passwords in plaintext memory, researcher warns
What's the story
Microsoft Edge, the tech giant's web browser, has been flagged for a major security flaw. The issue was highlighted by security researcher Tom Joran Sonstebyseter Ronning, who found that the browser loads stored passwords in plaintext in a computer's RAM. This could potentially allow malware to access these login credentials. Ronning demonstrated this vulnerability using a simple tool and command prompt with administrator privileges.
Company response
Microsoft defends password storage method
In response to the security concern, Microsoft defended its method of storing passwords in Edge. The company said that the potential threat only exists if a hacker has gained control over a user's PC, possibly through malware. "Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said in a statement.
Security concerns
Ronning highlights differences with Google Chrome
Ronning has raised concerns over Microsoft's approach to password decryption in Edge. He noted that unlike Google Chrome, which decrypts saved credentials only when needed, Edge keeps all passwords in memory at all times. "In contrast, Chrome will only decrypt the credential you need for autofill, when you need it, and it will be removed after," he said.
User experience
Microsoft says approach balances performance and security
Microsoft has also highlighted that its method of loading stored passwords in Edge can enhance user experience. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," the company said. "Browsers access password data in memory to help users sign in quickly and securely—this is an expected feature of the application."
Ongoing debate
Controversy sparks debate on password security measures
The controversy surrounding Edge's password storage security has sparked a debate. Some argue that the risk is exaggerated as it requires compromised admin access to a PC or server, which would expose the victim to other attacks too. However, others have questioned why Microsoft doesn't adopt stronger security measures for password storage.