Khaberni - Microsoft's "Edge" browser, which comes pre-installed in all versions of the "Windows 11" operating system, caused a big stir after a security researcher discovered a flaw in the password storage mechanism of the browser, and then contacted the company to be told that this was normal and they were aware of it.
Tom Yoran Sonsteipyster Roning, the security researcher who discovered the flaw, confirms that the browser stores passwords unencrypted in the device's memory when activated, according to a report by the American tech site "Cyber News".
This makes accessing the passwords easy when attacking the device's memory and taking complete control over it, which is a scenario that typically occurs during a cyber attack against any operating system.
Despite the "Edge" browser being based on the open-source "Chromium" core, which is the same core responsible for running browsers like "Google Chrome", "Edge" is the only one that behaves this way, according to Roning’s post on the "X" social media platform.
Edge's behavior contradicts global directives from cybersecurity experts that dictate encrypting and securely storing passwords away from the hands of hackers, according to a report by the American magazine "Forbes".
Microsoft, for its part, views this issue as expected and not a real threat to user accounts and their passwords, according to the response received by Roning when he tried to contact the company, as per the "Forbes" report.
The official spokesperson for Microsoft stated in a statement to the American tech site "Windows Central" that storing passwords in memory is a feature expected in the browser and it makes it operate faster.
The spokesperson confirmed that "safety and security are considered foundational pillars at Microsoft Edge, and accessing browser data – as per the scenario in the report – requires that the device has already been compromised", noting that the company follows design options that balance performance, ease of use, and user security.
What is the reason for the fear of the vulnerability?
Roning warned in his tweet of the potential negative exploitation of this vulnerability in attacks on external corporate servers, as if hackers gain administrative privileges of the server, they would be able to easily view the passwords stored in memory.
The danger increases in servers of platforms and cloud services that might use "Edge" as it is already installed in "Windows 11" and might be used by some cloud server managers.
On the other hand, Microsoft's statement indicates that they are aware of the vulnerability, as stated in the "Windows Central" report, and chose to leave it to speed up the process of accessing passwords and user accounts.
While "Edge" cannot be updated without Microsoft's intervention and direct fixing of the vulnerability, Roning advises deleting all passwords stored in the browser and transferring them to an external password management tool.
There are many external password management tools that users can install and link with various browsers including Edge, in which case, an external tool manages the passwords, stores them, and only provides the browser with the encryption key when needed or attempting to log into the site.
