Security bug in Edge password manager

%3CLINGO-SUB%20id%3D%22lingo-sub-1793078%22%20slang%3D%22en-US%22%3ESecurity%20bug%20in%20Edge%20password%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793078%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20in%20Edge%20password%20manager%2C%20you%20took%20care%20of%20this%20problem%20by%20showing%20a%20fixed%20number%20of%20stars%20to%20prevent%20unauthorized%20users%20from%20seeing%20the%20exact%20number%20of%20characters%20in%20each%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22fdsfsfs.png%22%20style%3D%22width%3A%20383px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227479i951BC073D630857C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22fdsfsfs.png%22%20alt%3D%22fdsfsfs.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20the%20problem%20is%2C%20you%20can%20still%20see%20the%20total%20number%20of%20password%20characters%20when%20you%20go%20to%20each%20website.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%2211.png%22%20style%3D%22width%3A%20328px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227480iD8E0BA251B820D44%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%2211.png%22%20alt%3D%2211.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22jklhyghi.png%22%20style%3D%22width%3A%20348px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227495iFD45EACAEE6348DC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22jklhyghi.png%22%20alt%3D%22jklhyghi.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enotice%20the%20upper%20password%20has%203%20characters%20more%20and%20I%20checked%20and%20confirm%20that%20the%20number%20of%20stars%20correctly%20represent%20the%20number%20of%20characters%20in%20the%20unmasked%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20since%20an%20attacker%20can%20see%20the%20websites%20names%20in%20plain%20text%20in%20Edge%20password%20manager%3A%3C%2FP%3E%3CP%3Eedge%3A%2F%2Fsettings%2Fpasswords%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22fdcdsff.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227481iF688A7C4A4134A6D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22fdcdsff.png%22%20alt%3D%22fdcdsff.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eall%20they%20have%20to%20do%20is%20to%20go%20to%20that%20website%2C%20click%20on%20the%20username%2Fpassword%20field%20to%20view%20the%20exact%20number%20of%20password%20characters.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eusing%20Edge%20dev%26nbsp%3B%3CSPAN%3EVersion%2087.0.664.8%20(Official%20build)%20dev%20(64-bit)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E(also%20sent%20using%20feedback%20button%20on%20Edge)%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1793078%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBUG%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Echaracter%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edev%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEdge%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFeedback%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassword%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ereveal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1793444%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20bug%20in%20Edge%20password%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793444%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%20Yeah%2C%20what%20can%20we%20do%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1793542%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20bug%20in%20Edge%20password%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F565232%22%20target%3D%22_blank%22%3E%40Kam%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20see%20the%20need%20to%20add%20others%2C%20again%20if%20i%20wanted%20to%20do%20that%20i'd%20do%20it%20myself.%3C%2FP%3E%3CP%3EI%20dont%20care%20who%20drew%20is%20or%20whatever.%3C%2FP%3E%3CP%3Ejesus.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1793545%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20bug%20in%20Edge%20password%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793545%22%20slang%3D%22en-US%22%3E%3CP%3E%E2%80%8C%E2%80%8C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Funamused_40x40.gif%22%20alt%3D%22%3Aunamused%3A%22%20title%3D%22%3Aunamused%3A%22%20%2F%3E%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Ffacepalm_40x40.gif%22%20alt%3D%22%3Afacepalm%3A%22%20title%3D%22%3Afacepalm%3A%22%20%2F%3E%20I%20already%20told%20you%20sorry.%20If%20you%20want%20I'll%20edit%20my%20post.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Honored Contributor

So in Edge password manager, you took care of this problem by showing a fixed number of stars to prevent unauthorized users from seeing the exact number of characters in each password.

 

fdsfsfs.png

 

 

but the problem is, you can still see the total number of password characters when you go to each website.

 

11.png

 

jklhyghi.png

 

 

notice the upper password has 3 characters more and I checked and confirm that the number of stars correctly represent the number of characters in the unmasked password.

 

and since an attacker can see the websites names in plain text in Edge password manager:

edge://settings/passwords

 

fdcdsff.png

 

all they have to do is to go to that website, click on the username/password field to view the exact number of password characters.

 

using Edge dev Version 87.0.664.8 (Official build) dev (64-bit)

(also sent using feedback button on Edge)

 

5 Replies

@HotCakeX  Yeah, what can we do?!

@Kam 

I don't see the need to add others, again if i wanted to do that i'd do it myself.

I dont care who drew is or whatever.

jesus.

‌‌ @HotCakeX  :unamused: :facepalm: I already told you sorry. If you want I'll edit my post.

@Kam 

I don't care dude. it's not worth my time arguing.

 

I just hate when someone trashes my post that actually has valuable content.

Yeah I don't care either. Let's just stop arguing.