Edge stores passwords in plaintext memory at startup; a tool has been released to test against the flaw.
Use a real password manager people
*operating system
This requires reading application memory
Seems like a pretty basic security precaution to avoid loading decrypted secrets into memory before they’re needed. Someone who can access application memory can already own you but there isn’t really a good reason why they should be able to access secrets that you never accessed while they were in.
I wouldn’t say it’s an alarming flaw, just seems weirdly and unnecessarily unsafe
At some point they will need to be decrypted anyway
I think this was done for performance and simplicity
Yep, and at that point they will be in memory until a reasonable time to clean up. But decrypting the whole password database and leaving it there forever seems needlessly unsafe.
TIL: If you
cat /proc/sys/kernel/yama/ptrace_scopeon your linux distro:- 0: All processes with same UID can read each other’s memory
- 1: Restricted (Only parents can read children)
- 2: Admin only (Requires sudo).
Most distros have this set to 1 by default.
More details:
man 2 ptrace, search using/:scopeDidn’t Bitwarden store your passwords in application memory too?
Removed by mod
Two years and you end it all with that? Oook
