Last week, Microsoft Edge has become the second most popular desktop Web browser based on NetMarketShare usage figures. The new, Chromium-powered Edge offers impressive levels of customization and performance, much better compatibility with Web sites. The new browser is available on multiple platforms including older versions of Windows. With Chromium-based Edge quickly gaining momentum, we felt the urge of researching its protected storage.

Microsoft Edge: the Chromium edition

Released on January 15, 2020, the new Microsoft Edge is based on Chromium, an open-source browser project. The new Microsoft Edge is compatible with all supported versions of Windows, and macOS. The new browser replaces the legacy version of Microsoft Edge on Windows 10 PCs.

Microsoft Edge has quickly gained popularity, in April 2020 becoming the second most popular desktop Web browser based on usage. Microsoft Edge gets ahead of Mozilla Firefox, which used to be the second most popular Web browser, and threatens Chrome as a new major competitor.

The new Edge shares its engine with Google Chrome, world’s most popular Web browser. The use of the common engine allows Microsoft to offering a straightforward migration path from Google Chrome. Users can instantly import their favorites, browsing history, open tabs and stored passwords in a few clicks. Today, we’ll look into how Microsoft Edge stores and protects users’ passwords.

Just like Google, Microsoft synchronizes passwords with the cloud. However, unlike Google, Microsoft does not offer users online access to synchronized passwords. As a result, users cannot manage or delete their synchronized passwords from their Microsoft Account without a working instance of Microsoft Edge browser. The new Edge and Edge Legacy apparently use different synchronization mechanisms. The new Edge, once installed, disables Edge Legacy, effectively making the user’s synchronized cloud passwords into a ghost.

Chromium Edge: departure from Windows Data Protection API (DPAPI)

Microsoft Internet Explorer and what is known today as Edge Legacy use Windows Credential Manager to store saved passwords and Web credentials. Windows Credential Manager, in turn, is protected with Microsoft’s Data Protection API (DPAPI) introduced way back in Windows 2000. Windows 10 employs AES-256 to encrypt the passwords. Passwords stored by Edge Legacy could be obtained by acquiring the Web Credentials.

With the release of the Chromium-based Edge browser, Microsoft opted to use Chromium built-in password manager instead of relying on Windows Credential Manager. As a result, the new Microsoft Edge Chromium no longer employs Microsoft DPAPI for protecting stored passwords. Instead, the passwords are protected with industry-standard AES 256 GCM encryption, while DPAPI is only used to protect the vault encryption key. Interestingly, other Web browsers that are based on the Chromium project are using the same encryption scheme. This includes the latest versions of Google Chrome, Opera, and Chromium browser.

By default, Edge Chromium does not protect the encrypted password database with a master password. Instead, Microsoft uses the Data Protection API (DPAPI) to protect the encryption key with the user’s Windows credentials. In turn, DPAPI uses AES-256 to encrypt the encryption key.

In order to access passwords stored in Edge Chromium, one must sign in with the user’s Windows credentials (authenticating with a login and password, PIN code, or Windows Hello) or hijack the active session. As a result, Edge Chromium password vault is covered with the same level of protection as the user’s Windows login.

This, effectively, enables someone who knows the user’s login and password or hijacks the current session to access the stored passwords. This is exactly what we implemented in Elcomsoft Internet Password Breaker.

Using Elcomsoft Internet Password Breaker to extract passwords from Edge Chromium

In order to extract passwords from Web browsers such as Chrome or Microsoft Edge, you must be able to authenticate into the user’s Windows account (with their login and password, Microsoft Account credentials, PIN code or Windows Hello) or hijack an already authenticated session. Note: analyzing a forensic disk image without knowing the user’s password will not provide access to Edge cached passwords due to DPAPI protection.

1. Launch Elcomsoft Internet Password Breaker.
2. Select Web Browsers – Edge Chromium from the menu.
3. In a few seconds, the list of passwords will appear.

Alternatively, you can click on the “Export” button to create a filtered list of all of the user’s passwords. You can than use that list as a custom dictionary in password recovery tools to create smart attacks.

Conclusion

The new Chromium-powered Microsoft Edge is a huge departure from Edge Legacy. The new password protection engine shared with other Chromium-based browsers is vastly different from the DPAPI vault and Credential Manager employed by the legacy Edge. The new password vault offers users the same level of protection as the old Edge, but is significantly easier to extract with third-party tools thanks to the open-source nature of the underlying engine – if and only if one has access to the user’s Windows credentials or an already authenticated session. Cold disk image attacks still remain out of the question unless the user’s Windows password can be recovered.