By: Kavin Jindal (@Klevr)

A recent disclosure by a Norwegian security researcher has taken the Internet by storm. Tom Jøran Sønstebyseter Rønning recently published a detailed Twitter thread about how Microsoft Edge loads all the saved browser credentials in clear-text format into memory. One can read the passwords in clear text just by dumping the browser memory without undergoing any decryption process.

Unlike Edge, other Chromium browsers only decrypt the credentials when needed and use a layer of App Bound Encryption, which makes memory scraping ineffective. The passwords are only shown in cleartext during auto-fill or when the user desires to view them.

Surprisingly, Microsoft’s response to this finding stated that it was implemented by design and not a security flaw. Apparently, this design enables users to have a fast, secure experience when signing in to websites, requiring the browser to access passwords stored in memory.

All Microsoft Edge browsers, irrespective of version, have this flaw. In the following article, I will provide a detailed walkthrough of the vulnerability, along with a POC (Proof-of-Concept) built in Python that automatically dumps all saved Microsoft Edge passwords from memory.

-0x00: Vulnerability Walkthrough

• To reproduce this flaw, all you have to do is follow the steps below.
• Open Microsoft Edge.
• Open Task Manager.
• Look for the Microsoft Edge parent process and expand it to reveal several different child processes.

• Right-click on the “Browser” task and click on “Create memory dump file”.

• You will get a pop-up message containing the path of the msedge.dmp DMP file.
• Navigate to the file location and open it in Command Prompt.
• Now, the easiest way to demonstrate this flaw is by using the Strings utility that is provided as a part of the Sysinternals suite. If you have worked with Linux, you’ll recognize this tool, considering it comes pre-installed with Linux distros. The Strings tool does not come pre-installed in Windows machines but can be downloaded easily from the link below:

https://learn.microsoft.com/en-us/sysinternals/downloads/strings

• After installing the above, you can use strings in the command prompt to extract embedded strings from binary data. It’s commonly used to analyse executables, binaries and in this case, memory dumps.
• Use the following command to fetch credentials stored in the Edge browser.

strings msedge.DMP | find ".comhttps "

• As is clearly visible, the username/email and password along with the domain where the credentials are used, have been fetched from the memory dump in a few easy steps without undergoing any decryption.

-0x01: Dumping credentials using a custom-built Python Tool

• To better demonstrate this vulnerability, I built a simple Python script that automatically fetches the MS Edge process ID, dumps the browser memory and parses the dump to extract saved credentials.
• The tool can be found on the GitHub repository below.

• Make sure to install the following dependencies before running the script.

pip install psutil minidump 

• Run main.py using python3 main.py in the terminal.

• As you can see, the dumped credentials were extracted within seconds.
• The script uses psutil to fetch the relevant Process ID followed by Windows API functions such asMiniDumpWriteDump and CreateFileW to create the memory dump in the working directory. After that, a third-party Python library minidump is used to parse the data in segments and extract the stored credentials.

-0x02: Conclusion

• Exploitation of this flaw requires the attacker to have initial access to the system, but that does not make it any less effective. Once inside, all saved passwords of logged-in Edge users can be easily extracted with minimal effort. What makes this whole case surprising is that Edge is built on Chromium yet Chromium itself does not load passwords in a human-readable format into the memory. Adding to that, Microsoft outright dismissed this finding as an intentional design decision, which has sparked a debate about the overall safety of storing passwords in browsers. Anyways, the best practice of keeping your credentials secure is to always use a dedicated password manager like Bitwarden that stores your passwords with encryption instead of a browser.

I hope you found this article worth your time. Make sure to follow Avyukt Security for more cybersecurity-related content and research!