this post was submitted on 04 May 2026
572 points (99.3% liked)

cybersecurity

6317 readers
15 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 3 years ago
MODERATORS
 

Hacker News.

When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.

At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.

Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.

It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.

Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.

If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on

(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is "by design". They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions

about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway

Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.

Source.

all 42 comments
sorted by: hot top controversial new old
[–] NaibofTabr@infosec.pub 154 points 2 months ago* (last edited 2 months ago) (3 children)

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.

~Satya Nadella, Microsoft Chairman and CEO, May 3, 2024

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/

So much for that I guess.

[–] ceenote@lemmy.world 106 points 2 months ago (1 children)

CEOs and empty words go together like politicians and empty words.

[–] mojofrododojo@lemmy.world 13 points 2 months ago

go together like Mslop and security.

[–] sp3ctr4l@lemmy.dbzer0.com 9 points 2 months ago

You don't understand; the mind bicycle believes otherwise, the mind bicycle is correct.

[–] Redjard@reddthat.com 4 points 2 months ago

Ah, you see this does not apply here because there is no tradeoff.
You can get the behaviour of other browsers without changing the user experience at all.

[–] 0ops@piefed.zip 83 points 2 months ago* (last edited 2 months ago) (7 children)

Yikes 😬. This prompted me to export and wipe my passwords from edge, which I've only kept on my work pc for the rare sites that have issues with non-chromium browsers. They show this warning in the export dialogue:

Your passwords will be visible to anyone who can see the exported file

The audacity lol

EDIT: They've apparently removed the "Passwords" option from the "Delete browsing data" menu. So now I'm removing my 100s of saved credentials one-by-one manually. Again, I can't stress this enough, the sheer fucking audacity of this shell of a shell of a tech company.

EDIT 2: I just keep finding stuff. So obviously Microsoft has never let you uninstall edge. That apparently didn't stop them from hosting this page:

Are you sure you want to uninstall Microsoft Edge?

That's obviously a rhetorical question, they offer no such option, the page is essentially just an ad. But it was the second result I saw when searching "uninstall ms edge" in duckduckgo. The fact that that page even exists says a lot actually, that enough people are searching for ways to uninstall it that they thought that it was worth it.

On that note, I can't slap Linux mint on this particular computer because it's for work and I need to use way too many proprietary windows-only programs to do my job. But does anyone recommend a script or tool for removing edge?

[–] RustyShackleford@piefed.social 22 points 2 months ago* (last edited 2 months ago)

I believe there was one a few years ago, but I think Microsoft patched it, and it’s reinstalled every Windows update. I’m pretty sure there was a manual command-line way to do it, but I’m not sure if they’ve patched that feature, yet.

Set another default browser (Firefox/Chrome/etc.)

Unpin Edge everywhere

Block EdgeUpdate tasks in Task Scheduler

Optionally use policy: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate

This avoids Windows updates quietly reinstalling or repairing Edge, which is common after feature updates.

[–] Kissaki@programming.dev 10 points 2 months ago (1 children)

Whether you can uninstall it is region dependent. You can uninstall it in the EU.

[–] Blackmist@feddit.uk 4 points 2 months ago

Can you though? There's a lot of internals of Windows that still depend on a browser rendering engine being present, as well as lots of 3rd party apps. WebView is just Edge in a DLL shaped trench coat.

[–] Zink@programming.dev 6 points 2 months ago (2 children)

You can run a LOT of Windows applications in Linux with how good compatibility layers have gotten. And there are also VMs as a heavier option.

Granted, for work stuff maybe it would be more convenient not to switch, but it might be interesting to experiment!

[–] nazokiyoubinbou@urusai.social 3 points 2 months ago* (last edited 2 months ago) (1 children)

@Zink @0ops I want to add on the subject of VMs for work: a VM is worlds easier to backup, to port to other hardware, etc etc. Plus it has some (potentially quite major) advantages of isolation. I'm actually of the opinion that any work environment that can safely go into a VM probably should anyway.

The only catch is the VM corporations aren't so great. VMWare is wrecked and Oracle isn't a great company either. Qemu is good, but really hard to use. (If you can do it, it's super portable and probably should be more reliable though.)

WINE options via a manager like Bottles with encapsulated runners are almost as good at this.

[–] Zink@programming.dev 2 points 2 months ago

Yeah, before we got the OK to just dual boot our laptops at work, I ran a linux VM inside windows for a while and it honestly worked very well.

Even now that I just run Linux, and Windows is VM-only for occasionally checking Windows build artifacts, it can be convenient to have a different Linux distro in a VM for random things.

[–] 0ops@piefed.zip 0 points 2 months ago

A few months ago I was trying out bottles and virtualbox on my media server (already on mint) with a particular plc-programming program I needed, but I didn't get anywhere. I don't remember the issue I was running into specifically. I might have to try again soon though when I have spare time. I've always had my gripes with Windows and Microsoft but the last few years of the ai boom they've really shit the bed, and it's really making my job more of a headache than it should be.

[–] zeezee@slrpnk.net 4 points 2 months ago (1 children)
[–] 0ops@piefed.zip -3 points 2 months ago (1 children)

Neat! I haven't tried this one. I'll see about trying it out when I have a slow day

[–] fossilesque@mander.xyz 2 points 2 months ago

Tried & true.

[–] AnarchistArtificer@slrpnk.net 4 points 2 months ago

Props to you for taking your outrage and funnelling it into something productive. I'm a nightmare for saying "I'll do it later", which, of course, means I never will (though I'm getting better at not doing this).

[–] Phantaloons@piefed.zip 2 points 2 months ago* (last edited 2 months ago)

But does anyone recommend a script or tool for removing edge?

Leave it, the company you work for is taking the risk of using Windows,... let them. If your accounts get stolen and they get hacked into, it's their risk, not yours, and since it's a work computer, you shouldn't have any personal info on it... right?

[–] Cyber@feddit.uk 51 points 2 months ago (2 children)

You know... with the state of cybersecurity at the moment, I am not surprised at all.

[–] xia@lemmy.ca 27 points 2 months ago (1 children)

I misread the title as "microsoft edge-lords", an now I can't stop giggling.

[–] prole@lemmy.blahaj.zone 3 points 2 months ago* (last edited 2 months ago) (1 children)

I read it as "Microsoft edges loads all over your..." before being like "wait what?" and starting over lol

[–] xia@lemmy.ca 2 points 2 months ago

To be fair, Microsoft has been getting pretty excited about AI recently...

[–] VitoRobles@lemmy.today 26 points 2 months ago

Good! I felt there was this major push in the past year for people saying "Fuck Google! I use Edge which is like Google Chrome but better!"

And now I can clown on them. (And also people who recommend Brave. Fuck those guys too)

[–] ICastFist@programming.dev 20 points 2 months ago

What's that, another incredible ~~bug~~ FEATURE of our lovely tech overlords?

[–] reksas@sopuli.xyz 13 points 2 months ago

so windows is unsecure by design

[–] HootinNHollerin@lemmy.dbzer0.com 11 points 2 months ago* (last edited 2 months ago) (1 children)

Wtf is even happening at Microslop

[–] VitoRobles@lemmy.today 6 points 2 months ago

Not much in my opinion. They lose a few points of satisfaction, roll back a tiny bit with a new release, then push their ad agenda again.

Most of the world is still happy eating their shit, just like it always has been.

[–] HonoraryMancunian@lemmy.world 7 points 2 months ago (1 children)
[–] Jesus_666@lemmy.world 4 points 2 months ago

"We could fix this but some people out there still like Windows and we're committed to putting an end to that nonsense."

[–] Agent641@lemmy.world 2 points 2 months ago

Sharing is caring

[–] MagnificentSteiner@lemmy.zip 0 points 2 months ago* (last edited 2 months ago)

Fucking hell lol

(Sorry for triggering the Microsoft Edge fans xD)