“Security Warning”
Image by gaertringen from Pixabay.
I was hoping to write a follow-up article to last week’s covering another classic computing architecture or lessons learned from classic computers, but something urgent came up on my news feed that I felt was necessary to share with my readers. Another blogger that I follow who calls his Facebook Page “Ethical Hacking” wrote about a major security issue in Microsoft Edge. If you don’t know what that is, it is the default browser that comes pre-installed on Windows 10 and Windows 11 based computers. So in all likelihood, unless you are a MacOS or Chromebook user, you are impacted by this major security flaw. What makes it even sadder to me is the fact that Microsoft has been aware of the issue since 2024 and has done nothing about it, including no announcement regarding it. So it is high time for this issue to be made well known.
To put it very simply, Microsoft Edge is based off of Google Chrome’s OpenSource codebase with a lot of modifications done by Microsoft to “improve security,” which in my own opinion means to spy on their customer base. I am relatively sure that Google does the same with their official Chrome release, but that’s a story for another day. The bug is in the way Microsoft Edge treats stored passwords. They utilize exactly the same encryption methods as Google Chrome, but when you open the Edge browser and open a secure page that requests a password, Edge opens your password storage, decrypts all your passwords and stores the decrypted password in memory on the computer.
I know what you are thinking, “That doesn’t sound so bad. Don’t they need the decrypted password to enter it in the website password form?” You are exactly right, they have to decrypt it in order to use it, but they really only need it for a very short period of time and they only need the password that you requested, not all of them. So they are making two major mistakes in how they handle the encrypted password. The first is that they are decrypting all of them instead of just the one they need to open the protected page. Computer security should be treated like document security and information should only be released to the processor and memory on a need-to-know basis. In other words nothing should be loaded into memory until it is needed.
The need-to-know basis for data access in a computer is important for two main reasons. The first is memory utilization; back in the early days of computing memory was very limited in computers so you only wanted to load into memory the information you needed at a specific time and you wanted to clear the memory as soon as you were done with it. This is one of the biggest problems with modern computers—the seemingly endless supply of memory has made programmers lazy and they are leaving un-needed information in memory way longer than necessary. The second reason we should use a need-to-know basis for determining what we load into a computer’s memory is that of security. If the information is in memory, unencrypted, any program running on the system can access the information, so it becomes a matter of security. In the case of the Microsoft Edge bug, this means that any program running on your computer now has access to all of your passwords for every website that you stored in the Microsoft Edge database. This includes javascripts running on your computer from remote websites. This means that it is possible for an untrustworthy website to launch an application and read all your username and password data from the computer; the only thing it needs to do is request a login and Edge will load the data while the script watches for changes in memory.
Microsoft Edge’s secondary issue with how they treat the passwords is that they keep them in memory when they are done with them, until you close the browser completely, which means that your passwords are not only sitting in the memory of your computer where anyone smart enough to hunt through memory can find them, they are left there indefinitely, because if you are anything like me, your web browser is open pretty much any time the computer is on, and you have logged in to at least one website, most likely Google or Facebook to check mail or read messages, so your passwords are sitting in memory for anyone to see.
So how did Google fix this issue with Chrome? They tackled both sides of the problem; first they only load into memory the exact password you requested based on the site you are trying to access. Second they clear the password from memory as soon as it is sent to the website. They effectively addressed both issues back in 2024. So I have three recommendations for you in order to keep you safe online. The first is to stop using Microsoft Edge immediately and install something else; both Google Chrome and Firefox have more secure stored password policies. The second is to stop letting any browser store your passwords because you don’t know how well they are keeping your secrets secret. You are much better off using an actual password storage tool like Password Safe which is a fairly secure tool for keeping all sorts of passwords, not just ones for websites. Third, if you have been allowing Microsoft Edge to store your passwords, change them all immediately and do not store the new ones when it asks. Then delete the password database from Microsoft Edge; you can learn how to do this by simply searching on Google, “Clear Saved Passwords (Remember Me) in Browsers.” If you want to use “Remember Me” for things like Facebook and Gmail that you use everyday, then only do it in Google Chrome or Firefox, never in Microsoft Edge. Until next week stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to shamilton@techshepherd.org or through his website at https://www.techshepherd.org.
