Cybersecurity

Edge Loads Your Passwords Into Memory In Plain Text. Microsoft Says "Working As Intended." The Flock Weeps.

Victor Woolridge

2 min read
Share
Edge Loads Your Passwords Into Memory In Plain Text. Microsoft Says "Working As Intended." The Flock Weeps.

I have been doing this for thirty-one years. Thirty-one years of watching the Shepherds make catastrophically stupid decisions and then explain, with a straight face, that the catastrophically stupid decision was actually a feature. And yet, somehow, Microsoft has found a way to make me genuinely tired in a new way.

Here is what happened. Microsoft Edge, which the Flock is apparently using now because it came pre-installed and nobody pushed back, was loading every single saved password into process memory in clear text at startup. Not encrypted. Not obfuscated. Plain. Text. A Wolf with basic memory-scraping parasites could hoover up your entire credential vault before you finished your morning coffee.

Microsoft's initial response? "This is by design."

BY DESIGN.

I want you to sit with that. I stored classified routing tables on magnetic tape in 1987 and I had the professional dignity to at least label the tape incorrectly as a precaution. These people built a browser that waves your passwords at any passing Wolf and called it an architectural decision.

The good news, if you are generous enough to call it that, is that Microsoft has since reversed course and will be patching this particular hole in the fence. The bad news is that "we will stop doing the obviously catastrophic thing" is now considered a win in this industry, and everyone is applauding.

In the Old Days, if you left credentials in plaintext in a shared memory space, you did not get a changelog entry. You got a very uncomfortable phone call and a new job in a different field.

The Sky Pasture ecosystem, the browser-as-everything paradigm, the "let us save your passwords for you, little lamb" convenience model, this is what produces these situations. We traded discipline for comfort and we are shocked, repeatedly, that the Wolves found the gap.

Remediation

First: stop storing passwords in your browser. I do not care how convenient it is. Convenience is the enemy. Use a dedicated password manager with actual encryption architecture.

Second: if you are running Edge in an enterprise environment, audit your memory protection policies immediately. Your Shepherds will not do this on their own. They are busy approving the Sky Pasture migration.

Third: apply the forthcoming patch the moment it is available. Do not wait. Dipping the flock after the tick infestation is a very different conversation than dipping them before.

Fourth, and I cannot stress this enough: question every vendor who tells you something dangerous is "by design." That is not engineering. That is a hostage negotiation.

Woolridge out. I need to go lie down next to my air-gapped terminal.

Original Report: https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/