[gruez]

This feels like a case of "It rather involved being on the other side of this airtight hatchway"[1]. If you can read arbitrary process memory, you're probably also in a position to just dump out the passwords by pretending to be the user in question.

> If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.

If an attacker has administrative access, they can also attach a debugger to every chrome process and force it to decrypt all the passwords. The only difference this really makes is in coldboot attacks, but even then it's still not clear whether it makes the attacker's job slightly easier, or allows an attack that's otherwise not possible.

[1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

[maxloh]

This logic is perfectly aligned with the Chromium threat model. Once an attacker gains administrator access, it is game over by definition.

I doubt this is an Edge-specific issue. Microsoft has no interest in making their browser less secure than its upstream.

> Why aren‘t physically-local attacks in Chrome’s threat model?

> We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your device, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome ­— all applications must trust the physically-local user.

https://chromium.googlesource.com/chromium/src/+/148.0.7778....

[formerly_proven]

It's a very standard defense-in-depth technique to put secrets between guard pages and only make the secret page readable when needed. That way any inadvertent access, be it programming error or exploit, simply causes a segfault, unless it's raced with a valid access (in a multithreaded or shm context) or the exploit explicitly changed the permission bits. Most memory disclosure vulnerabilities don't allow you to do that.

That being said any single password, when used, passes through so many layers and components that it's likely impossible to even just wipe the contaminated memory locations. But that's fine, the password database is opened for most of the browser's lifetime, any given password actively being used is a rare event in comparison.

[BobbyTables2]

Wouldn’t a guard page be readable in Linux with /proc/self/mem ? (at least read only pages are writable with it)

[widelyusygas]

> It's a very standard defense-in-depth technique

Is there any software we’d be aware of which uses this technique

[slurmz]

Windows and OpenSSL both do this

[yellowapple]

> I doubt this is an Edge-specific issue.

It absolutely ain't Edge-specific. Firefox (AFAICT) also keeps stored passwords in clear-text unless encrypted with a passphrase (which is not the default on desktop; on Android there's a fingerprint/PIN check to access them, but I don't know offhand if there's any encryption involved with that).

Really this is true of most credentials stored within applications; unless you're providing a decryption key on open (whether explicitly or on OS-level login using some keychain mechanism), the stored credentials are probably plaintext.

[cromka]

Or unless you need to reenter password/offer fingerprint after certain amount of time. Which, I think, should be the actual standard, and typically is with the apps like Bitwarden.

[sandworm101]

>> Microsoft has no interest in making their browser less secure than its upstream.

Microsoft has every interest in spending as little money as possible on edge, just enough to keep people swalling the tripe. User privacy is not a thing at MS and hasnt been for decades. Plaintext passwords in a MS product is just another monday. It will take decades more to convince me they have changed.

[stackghost]

Look, Ihate Microsoft too but Edge is just Chrome with a different skin, so they'd have to have gone out of their way (and spent money paying engineers) to make Edge less secure than Chrome/ium.

[wolvoleo]

The whole point of them using chromium shows how little they care.

The old edge wasn't used much no but that wasn't due to its engine. Most people don't even know what a browser engine is.

They just didn't want to bother making a browser. But they want to benefit from the marketing advantages of having a browser so now they just lift along with chrome.

[thewebguyd]

> shows how little they care.

I think they do care, but they care about relevance, not browser monoculture. Doesn't matter how good Trident was, no one was ever going to use it. Even Firefox is barely hanging on, and the only reason Safari is still somewhat relevant is because it's the only choice on iOS.

And my relevance I mean their bread and butter, enterprise, not consumers. Edge is what lets MS give enterprise IT departments maximum control without the grumbling of "we'd rather have Chrome" from the end users.

[wolvoleo]

Well that's the thing. I don't think anybody didn't use Edge because it was a different engine. The majority of users have no idea that edge is just chrome now.

It's just when they moved to chromium they also stepped up the marketing around it and all the lock-in in Windows and that's really what got people to use it. Basically the same thing they did to make IE a monopoly.

They also really heavily pushed companies to start using it. Every time we had a call with a MS consultant and we shared a screen they had to bitch about us not using edge, as if they were on commission or something. Eventually they manipulated our leadership into mandating edge to all employees. It's totally locked down now too, it's terrible for the users.

But my point is, they could have done this with the trident version of edge too. I've never heard anyone complain about compatibility. Whenever people didn't want to use edge it was because of a (totally justified) distrust of Microsoft. We should never give control over the internet to them again after what they did with IE (making it a monopoly through illegal means and then leaving it to wither away full of security holes). But unfortunately at work they have got them to remove all other browsers :(

[NewsaHackO]

Come on, they could still get a blood sample to really verify that its the user

[Lorkki]

In recent years we've also had browser-exploitable vulnerabilities that allowed reading arbitrary memory as a regular user, but slowly or without full control over the locations. I think wiping credentials as soon as possible after use is a very sensible precaution, even if it's only a moat.

[giancarlostoro]

I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?

[IgorPartola]

I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.

[traderj0e]

Or the computer's memory via Meltdown and Spectre-like attacks

[anthk]

That's why I disable JS by default with UBlock Origin. And OFC never allow JS to acces your clipbaord.

[avereveard]

It's surprisingly hard to do the compiler or cpu may see a write without a read and optimize it away. Windows has a SecureZeroMemory and a few other barrier primitives but not all languages reach to it

[turtlebits]

Security isn't black and white. If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.

[stouset]

If I leave a post-it note of passwords on my monitor inside a vault to which only I have access, it’s not a big deal. That’s the point of the “airtight hatch” metaphor.

[solidasparagus]

I think we've moved away from the secure perimeter thinking and towards defense in depth - if that list of passwords helps you get somewhere other than the vault, removing the post-it improves security. Vaults get infiltrated all the time - and often in partial ways like being able to see into the vault but not reach in.

[dwattttt]

Defence in depth matters, but an analysis here shows that the same mechanism used to breach the outer layers (getting administrative access) can be used to breach the next layer (more thoroughly prodding Edge or Chrome to give up passwords).

[Someone1234]

Right; but in the scenario of this Tweek, you've invited someone untrustworthy into the vault and are then freaking out because they can see the post-it note of passwords. It is inherently irrational.

This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).

All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.

[stouset]

I think we’re largely in agreement. I do think there’s some benefit in reducing the amount of time that a password is in cleartext in memory. But it’s pretty far down the list.

[ignoramous]

> This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure

Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.

[oasisaimlessly]

No, that is actually very rare, not typical. Do you have any examples of password managers that do that?

[jazzyjackson]

One more reason to use hardware-bound passkeys and not passwords.

[Someone1234]

True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.

I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.

[gruez]

> If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.

Having passwords on post-it notes does make certain types of attacks much easier. For instance, coworkers hacking other coworkers, or people burglarizing the office. None of which really apply to the "If an attacker gains administrative access on a terminal server" scenario.

Continuing the analogy, what Edge is doing is like leaving cash in unlocked cabinets inside a vault, and what Chrome's doing is locking those cabinets with a padlock. Sure, having the padlocks makes the cash more secure, but if someone went through all the effort into breaking the vault (terminal server), a padlock probably isn't going to stop them. This is especially true nowadays with AI coding agents and ready-made stealers available for sale online.

[forgotaccount3]

> Having passwords on post-it notes does make certain types of attacks much easier.

It also makes other attacks much harder. Namely I don't need to worry about some zero-day in my password manager.

[RajT88]

The way to think about security is as a system of layers, each of which filters out ever more sophisticated attackers.

We should care about all kinds of attackers, and not assume that the protections against the most sophisticated will obviate the protections against the least sophisticated.

[cachius]

The Swiss cheese model. Each single layer has holes, but when stacked the combined hole area is minimized https://en.wikipedia.org/wiki/Swiss_cheese_model

[slow_typist]

The Swiss cheese model is what people use to sell you more 'security' related software systems that inherently involve more problems. (Also cheese is not very durable, even the kind without holes.)

[LorenPechtel]

Swiss cheese applies to more than just security systems.

Hiking with two GPS-capable devices is Swiss cheese.

[slow_typist]

That is redundancy in my book. I don’t expect holes in my GNSS devices. And if you want to be sure, bring three, because two GNSS units with different readings are not very helpful.

[ButlerianJihad]

That was an enlightening read, considering the colloquial meaning of "your firewall security is like Swiss cheese"

https://en.wiktionary.org/wiki/Swiss_cheese#Noun

What's next? A system so secure that you can drive a truck through it? A honeypot in the center of a wasp nest?

[yjftsjthsd-h]

Okay. Can you describe an attack / threat model where it would matter in this particular case?

[wat10000]

https://en.wikipedia.org/wiki/Spectre_(security_vulnerabilit...

[keithnz]

isn't it at risk of any code pathway that somehow allows you exceed a buffer and read memory unbounded? Then a nefarious web page could capture that? That's a huge exposure surface.

[Dylan16807]

I'm pretty sure a read exploit in a web page wouldn't be in the same process as the passwords.

If you can cross over to the main Edge process, you can probably get it to remove any encryption it applied itself.

[pibaker]

Agreed. I keep seeing "high priority" "vulns" that require so much system access to actually exploit that they become pointless. If an untrusted process can read your memory or run as an administrator you have already lost.

It honestly feels like more and more "security" people and businesses have less interest in actually securing systems and more in marketing themselves and their business hence the tendency to make every niche attack into a five alarm fire.

[userbinator]

Many of them also have vested interests in furthering corporate authoritarianism, which is why letting users have full control over their devices is considered a security risk to them.

[mintplant]

Have we already forgotten Cloudbleed [0]?

[0] https://en.wikipedia.org/wiki/Cloudbleed

[slow_typist]

All true, but it is still bad style. There is no need to keep decrypted passwords in memory the user hasn’t even used in the session (or after they logged in to a certain website).

[netrap]

So you decrypt each time you need it? What is the difference in the attack surface?

[slow_typist]

What I don’t need doesn’t need to live unencrypted in my RAM. Of course I do. It is standard behaviour of iOS, and of a lot of password managers. If someone grabs my laptop and runs, at least they can’t capture my hn account.

[asdfman123]

So you're saying it's an Edge case?

[cush]

So as a user, when I go to paste any password, I first need to log in with biometrics, yet any random user process can just snag the password from memory?

What am I missing here?

[wat10000]

There's little hope of protecting against a snooper seeing the passwords you actually use, since they have to exist in plaintext at some point. But there's no reason to expose the entire password database when no passwords are even being used.

[hWuxH]

What's the threat model where not storing them all at once provides any benefit? If someone has admin it's already game over. Can just hook the browser to retrieve all passwords on demand.

[wat10000]

An attacker might only have read access. Could be a read buffer overflow like Heartbleed, a partial sandbox escape, a sophisticated Spectre-type vulnerability, a cold boot attack, or something mundane like a core file taken from a crashed process that gets into the wrong hands.

[Dwedit]

Reading arbitrary process memory can be done as a standard user. No admin needed. Any Win32 program can do it. You just can't access the memory from processes that are admin-level.

[dvt]

This is not true. The canonical way to prevent access is via PAGE_NOACCESS[1]. Obviously, running as admin or in kernel mode breaks the whole thing since you can re-call `VirtualProtect` on that page and open it up.

[1] https://learn.microsoft.com/en-us/windows/win32/memory/memor...

[Someone1234]

This is accurate as far as page protection goes. The problem is the largest threat model.

If Process A and Process B are running in the same user context on a desktop OS, PAGE_NOACCESS is not a strong boundary by itself. Process B may be able to obtain PROCESS_VM_OPERATION/PROCESS_VM_READ, change the page protection with VirtualProtectEx, inject code that calls VirtualProtect inside Process A, load a DLL, attach as a debugger, duplicate useful handles, or tamper with the executable. That's the problem with same-user process isolation, it is a hugely leaky abstraction. There is no magical "just set this bit" fix.

On a desktop OS, once an evil process runs under the same user context, you are relying on process DACLs, integrity levels, code-signing, anti-injection hardening, and file-system protections. You can plug one path and still have several others.

[dvt]

This comment feels like it's written by AI. Anyway, PAGE_GUARD helps you get around VirtualProtectEx, which is a very common way of detecting userspace cheats.

[Someone1234]

> This comment feels like it's written by AI.

Why exactly? I'm genuinely asking, because I feel like I get this a lot, and it is pretty frustrating.

[BalinKing]

I'm not the other commenter (and I believe you that it's not AI), but I'd guess it's mostly the first line: a short affirmation followed by "The problem is ...." feels like the sort of formula the LLMs love to use. (Not trying to imply that there's anything inherently wrong with it, of course.)

While we're at it, I'm under the impression that the recent LLMs have also co-opted "genuinely", which I'll never forgive them for—first they stole my em-dashes, and now they're stealing my adverbs too?!

[verall]

I do see how your comment is similar to AI writing (a couple other comments explain) but it did NOT set off my AI trigger. I think it's just clear writing.

[itemize123]

basically very verbose and detailed but also very indirect. didn't get to the point till the end.

[dvt]

> The problem is the largest threat model.

Without context, sentences like this mean nothing. So it's borderline a non sequitur. A threat model can be literally anything. Me giving my PC to someone at Best Buy, letting my grandma write assembly, or throwing my PC out the window can be a "large threat model." Nonsense sentence.

> If Process A and Process B are running in the same user context on a desktop OS, PAGE_NOACCESS is not a strong boundary by itself. Process B may be able to obtain PROCESS_VM_OPERATION/PROCESS_VM_READ, change the page protection with VirtualProtectEx, inject code that calls VirtualProtect inside Process A, load a DLL, attach as a debugger, duplicate useful handles, or tamper with the executable.

To the uninitiated this seems right, but really there's so much glossing over, it feels written by a non-expert that just read the first chapter of a "hacking for dummies" book. I've written anti-cheats and have even done some some hardware stuff, so I say this with some degree of experience: writing a userspace hack/cheat is pretty hard without a zero-day. Most stuff won't easily get PROCESS_VM_OPERATION permissions, also those are (afaik) logged by the kernel, so you can easily see if some weird "DefinitelyNotACheat.exe" executable or "NotABadLibrary.dll" requested them, so it's a pretty janky way of getting access to memory you shouldn't.

> That's the problem with same-user process isolation, it is a hugely leaky abstraction. There is no magical "just set this bit" fix.

Again, this is a non sequitur. No one said (or at least I didn't) that there's a "magical" bit. You're not even arguing against a strawman, it's almost like we're having two different conversations.

> On a desktop OS, once an evil process runs under the same user context, you are relying on process DACLs, integrity levels, code-signing, anti-injection hardening, and file-system protections. You can plug one path and still have several others.

Also seems right, and it kinda' is, but code signing is notoriously easy to circumvent, "anti-injection hardening" can mean like three million different things, etc. I dunno, just sounds like someone that's never done this stuff before. Like, not bringing up Detours[1] when talking about "anti-injection" just seems like weirdly avoiding the ONE canonical way of doing this, which just about every single hacking/cracking book covers. Idk, weird omission.

Also, no one in their right mind would attach a debugger, as that's trivial to detect[2]. I guess it could be a decent proof of concept, but no serious hacker would ever go that route. (Also, if I remember correctly, you also need to ship some special DLLs that have the actual debugging helpers—and same with Detours, so might as well do that).

Just wanted to give my justification for the accusation. Maybe I'm wrong and maybe that's why I'm getting the downvotes, so my bad.

[1] https://github.com/microsoft/detours

[2] https://learn.microsoft.com/en-us/windows/win32/api/debugapi...

[Dwedit]

Guard pages are one-shot exceptions used for growing the stack.

[dvt]

They also act as access alarms[1]. Why even comment if you didn't bother to read the docs?

> The PAGE_GUARD protection modifier establishes guard pages. Guard pages act as one-shot access alarms. For more information, see Creating Guard Pages.

[1] https://learn.microsoft.com/en-us/windows/win32/api/memoryap...

[LtdJorge]

And if the malware is running as admin, you’re pretty fucked either way

[munk-a]

Thankfully our recent experiences with OpenClaw have given us all a lot of faith that users are extremely diligent in what processes they allow access to what information.

[jurf]

Yeah because Meltdown and Spectre [0] weren't a thing.

[0] https://spectreattack.com/

[hWuxH]

If passwords are fetched remotely on-demand, you steal the account API key from memory. If they're encrypted, you steal the master password or decryption key. ... So what's your solution?

[jurf]

I think it’s more about layers of defense being always better than relying on a single point of failure.

IIRC those bugs could only steal data, not do remote execution. If you did not store even the encrypted passwords in memory, getting the password/key to them compromised would still keep you safe, or at least upgrade it to a timing attack.

[colechristensen]

>If you can read arbitrary process memory, you're probably also in a position to just dump out the passwords by pretending to be the user in question.

This is the load bearing argument and it is false.

There are plenty of circumstances were you can grab a piece of process memory but not all of it.

There are plenty more circumstances where you can grab process memory but not kernel memory.

There are plenty more (almost all) where you can dump kernel and process memory but you can't access the keys stored in the TPM module.

Leaving the door open for anyone with the smallest exploit is stupid and bad security.

[tardedmeme]

They want obscurity and think it's security. Everything needed to get the passwords must be present in memory but they don't want to be able to actually see the passwords directly.

[angry_octet]

This is a fallacious belief. While there is not point in obscurity, there is much value in not making it trivially easy to read passwords, as most exploits (especially of chromium) are not full user compromise, but the ability to massage some memory structures and read/write specific interesting bytes.

Additionally, the passwords could be kept encrypted in another process, and decrypted on demand, essentially a password vault. This lets you use techniques like biometric or physical button approval for password use, and reduces the likelihood of a browser memory dump containing passwords.

File audit capabilities in the OS can also be tuned so that only the vault application should be reading the vault file. Make info stealers job difficult.

[dvt]

This is 100% that case. Basically every form (like this very one I'm typing in) is held in userspace memory un-encrypted. And yet lawyers and doctors and CIA operatives all use forms to type very sensitive stuff in.

It would be stupid, wasteful, and overly-complex to encrypt forms just in case some malicious process somehow got ring0 access. In that case, a keylogger is likely more useful anyway. And you're fucked even if you are encrypting stuff (as keys are likely also somewhere in memory[1] and they need to be—gasp—unencrypted). There's no free lunch.

Stupid Twitter thread meant to rage-bait for engagement.

[1] They could also be on disk or on some peripheral, but still fully readable by a motivated-enough hacker.