{"id":12665,"date":"2026-05-07T04:03:43","date_gmt":"2026-05-07T04:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/07\/32954\/"},"modified":"2026-05-07T04:03:43","modified_gmt":"2026-05-07T04:03:43","slug":"32954","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/07\/32954\/","title":{"rendered":"Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)"},"content":{"rendered":"\n<div>Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Yup, that is for real.<\/p>\n<p>For me, this started with a post in X at\u00a0<span style=\"font-size:12pt\"><span style='font-family:\"Aptos\",sans-serif'>hxxps:\/\/x.com\/intcyberdigest\/status\/2051406295828250963?s=61 , which highlighted research by\u00a0<\/span><\/span><span class=\"r-18u37iz\"><a class=\"css-1jxf684 r-bcqeeo r-1ttztb7 r-qvutc0 r-poiln3 r-1wvb978 r-1ny4l3l r-1ddef8g r-tjvw6i r-1loqt21\" dir=\"ltr\" href=\"https:\/\/x.com\/L1v1ng0ffTh3L4N\" role=\"link\" style=\"color: rgb(29, 155, 240);\">@L1v1ng0ffTh3L4N<\/a>\u00a0that found exactly this issue.\u00a0 Edge stores all of your browser passwords in clear text, even if you haven&#8217;t used them in this session, y&#8217;know, just in case.<\/span><\/p>\n<p><span class=\"r-18u37iz\">I figured, it couldn&#8217;t be that easy, right?\u00a0 But like so many things, yes, yes it was.<\/span><\/p>\n<p>To reproduce this<\/p>\n<ul>\n<li>Open Edge.\u00a0 Don&#8217;t browse anywhere, just open it<\/li>\n<li>Flip out to Task Manager, search for Edge, then expand that task<\/li>\n<li>Highlight the &#8220;browser&#8221; sub-task, right click, and choose &#8220;Create Memory Dump&#8221;<\/li>\n<\/ul>\n<p style=\"margin-left: 40px;\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/dump_mem_from_process.png?ssl=1\" style=\"width: 800px; height: 728px;\"><\/p>\n<p style=\"margin-left: 40px;\">\u00a0<\/p>\n<p style=\"margin-left: 40px;\">Navigate to where the DMP file is stored.\u00a0\u00a0<\/p>\n<p style=\"margin-left: 40px;\">If you haven&#8217;t used <span style=\"font-family:Courier New,Courier,monospace;\">strings <\/span>before, you&#8217;re in for a treat.\u00a0 <span style=\"font-family:Courier New,Courier,monospace;\">Strings <\/span>is of course just part of most Linux distros, but you can easily get a copy for Windows as part of MS Sysinternals, at\u00a0https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/strings<\/p>\n<p>\nNow let&#8217;s look for passwords!\u00a0 You could use strings and look for known credentials, just search for a known password and you will certainly find it.\u00a0 Or you can take advantage of the format of the saved data:<\/p>\n<p style=\"margin-left: 40px;\"><span style=\"font-family:Courier New,Courier,monospace;\">&lt;url of the site&gt;&lt;protocol&gt;&lt; &gt;&lt;userid&gt;&lt; &gt;password&gt;<\/span><\/p>\n<p>So, searching for &#8220;&lt;tld&gt;&lt;protocol&gt;&#8221;, which in most cases is\u00a0&#8220;comhttps&#8221; (no spaces) will find most of them, and they&#8217;ll all be in one nicely formatted group no less.\u00a0 The command for that will be:<\/p>\n<p style=\"margin-left: 40px;\"><span style=\"font-family:Courier New,Courier,monospace;\">strings -n 8 msedge.DMP | find &#8220;comhttps&#8221;<\/span><\/p>\n<p>looking a bit down in the output (since comhttps does match more stuff in the memory dump than just the credential list), I see:<\/p>\n<p style=\"margin-left: 40px;\"><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/password_dump.png?ssl=1\" style=\"width: 500px; height: 383px;\"><\/p>\n<p>As you can see, Edge isn&#8217;t\u00a0 my primary browser, but I do use it a fair bit for Azure work.\u00a0 And yes, this is a real session, so I cropped\/blurred out sensitive accounts and of course passwords.<\/p>\n<p>It really is that easy.<\/p>\n<p>And the ironic thing? \u00a0To view these same credentials in the browser, there&#8217;s a whole security theatre process where Edge wants your biometrics as proof before disclosing even the userid and site names &#8211; you know, &#8220;for security&#8221;. \u00a0All the while, the whole shot is in clear text, free for the looking\u00a0..<\/p>\n<p>Also as noted in the X post, Microsoft classifies this as &#8220;intended behaviour&#8221;.\u00a0 I&#8217;m not sure what manager or lawyer decided that, hopefully it wasn&#8217;t anyone in their security team.<\/p>\n<p>Anyway, if the intent of this is to get me to use Firefox or Chrome, it&#8217;s working!!<\/p>\n<p>Have you seen a similar &#8220;strong front door \/ open window&#8221; security example in your forensics, please share in the comments (keeping any NDA&#8217;s etc in mind of course)<\/p>\n<p>=================<\/p>\n<p><strong>Update:\u00a0<\/strong><\/p>\n<p>Tom J\u00f8ran S\u00f8nstebyseter R\u00f8nning (@L1v1ng0ffTh3L4N) just posted with more detail on his research at: x.com\/l1v1ng0ffth3l4n\/status\/2051308329880719730\u00a0 (follow the comment thread for all the info)<\/p>\n<p>The main thrust of it remains the same.\u00a0 The logged in Windows user can dump all of their stored Edge credentials with no additional rights.\u00a0 Which means that the malware that user executes also has those credentials for the asking<\/p>\n<p>===============<br \/>\nRob VandenBrink<br \/>\nrob@coherentsecurity.com<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32954\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th) Yup, that is for real. For me, this started with a post in X at\u00a0hxxps:\/\/x.com\/intcyberdigest\/status\/2051406295828250963?s=61 , which highlighted research by\u00a0@L1v1ng0ffTh3L4N\u00a0that found exactly this issue.\u00a0 Edge stores all of your browser passwords in clear text, even if you haven&#8217;t used them in this session, y&#8217;know, just [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-12665","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12665"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12665"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12665\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}