![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
A security researcher did some poking around and discovered a bad thing with the Edge browser. Every browser wants you to trust them with your passwords and credit card data. At least in the case of Edge and passwords, that trust may be unwarranted.
The researcher stored a password and then captured all the memory. And found the password in plaintext. Unencrypted, unhashed. Completely readable. Microsoft dismissed this finding, saying that the computer would have to be compromised by malware for this to be a vulnerability.
Well, guess what. COMPUTERS GET COMPROMISED BY MALWARE ON A REGULAR BASIS. THIS IS A PROBLEM.
The Edge browser is based on Google's Chrome browser. There are many browsers based on Chrome, and apparently they take the very minimal resources required to encrypt or hash said passwords.
No word if this problem exists on Edge browser on other operating systems such as Mac.
Now, here's the really bonus extra-stupid thing. If I'm a user on a computer, and I want to view a password for a web site, I HAVE TO ENTER MY LOGIN PASSWORD TO VIEW IT. It's already been decrypted and stuffed into memory in plaintext, but I have to authenticate myself to view it!
This is quite an amazing level of stupidity. The amount of CPU resources required to decrypt one password for one web site is miniscule. There is zero reason to decrypt all of those passwords and stuff them into ram where any malware can steal them.
https://www.pcmag.com/news/researcher-finds-microsoft-edge-stored-passwords-load-in-plaintext
https://yro.slashdot.org/story/26/05/06/2014204/microsoft-edge-stores-passwords-in-plaintext-in-ram
The researcher stored a password and then captured all the memory. And found the password in plaintext. Unencrypted, unhashed. Completely readable. Microsoft dismissed this finding, saying that the computer would have to be compromised by malware for this to be a vulnerability.
Well, guess what. COMPUTERS GET COMPROMISED BY MALWARE ON A REGULAR BASIS. THIS IS A PROBLEM.
The Edge browser is based on Google's Chrome browser. There are many browsers based on Chrome, and apparently they take the very minimal resources required to encrypt or hash said passwords.
No word if this problem exists on Edge browser on other operating systems such as Mac.
Now, here's the really bonus extra-stupid thing. If I'm a user on a computer, and I want to view a password for a web site, I HAVE TO ENTER MY LOGIN PASSWORD TO VIEW IT. It's already been decrypted and stuffed into memory in plaintext, but I have to authenticate myself to view it!
This is quite an amazing level of stupidity. The amount of CPU resources required to decrypt one password for one web site is miniscule. There is zero reason to decrypt all of those passwords and stuff them into ram where any malware can steal them.
https://www.pcmag.com/news/researcher-finds-microsoft-edge-stored-passwords-load-in-plaintext
https://yro.slashdot.org/story/26/05/06/2014204/microsoft-edge-stores-passwords-in-plaintext-in-ram
