EdgeSavedPasswordsDumper is a C# proof-of-concept tool hosted on GitHub at L1v1ng0ffTh3L4N/EdgeSavedPasswordsDumper. With 315 stars, it highlights a specific security issue in Microsoft Edge: the browser stores saved credentials from its Password Manager in plaintext within the parent process memory. This project exists to demonstrate the risks, particularly in multi-user setups like terminal servers, where an attacker could access Edge processes from any logged-on or disconnected user.
The tool targets Edge versions up to 147.0.3912.98. Once credentials are saved via Edge's Autofill feature, they remain exposed in memory. Microsoft has acknowledged this behavior as "by design" and declined to change it. The author created it for educational purposes, to foster awareness about memory inspection techniques and differences in how browsers handle credentials. The code admits to potential rough edges, as the developer lacks deep C# experience, and welcomes contributions.
What it does
This tool scans running Edge processes and extracts saved credentials stored in cleartext. It attaches to the parent Edge process—msedge.exe—and reads memory regions where login details persist. Output includes usernames and passwords directly from memory, proving their accessibility without decryption.
Key aspects include:
- Access to credentials from the Microsoft Password Manager (Autofill-saved logins).
- Functionality without administrator rights, limited to the current user's Edge processes.
- Elevated privileges expand reach to other users' processes on the same machine.
- Demonstration of plaintext storage across all saved credentials, not just active sessions.
No encryption protects these in-memory copies, making them vulnerable to tools like this. The project stresses its role in security research, not exploitation.
Getting it running
Requirements are straightforward: .NET Framework 4.8.1 and Edge 147.0.3912.98 or earlier. Newer Edge versions may alter memory layouts, potentially breaking compatibility.
To use it:
- Clone the repository:
git clone https://github.com/L1v1ng0ffTh3L4N/EdgeSavedPasswordsDumper.git. - Open the solution in Visual Studio or build via command line with
dotnet build(assuming .NET SDK compatibility with Framework 4.8.1). - Run the resulting executable,
EdgeSavedPasswordsDumper.exe.
No installation beyond building is needed. Launch Edge, save a test credential via Password Manager (e.g., on a demo site), then execute the tool. It enumerates msedge.exe processes, injects into memory, and dumps strings matching credential patterns. Without admin rights, it targets only your session's processes. Run as administrator via right-click or runas for multi-user access.
Expect console output listing processes scanned and extracted credentials, like username:password pairs. Test on a virtual machine to avoid real data exposure. The tool runs quickly, often under a second per process.
Who this is for
Security researchers and educators benefit most. It serves as a hands-on example for teaching process memory forensics, using APIs like OpenProcess, ReadProcessMemory, and string pattern matching in C#. Students learning Windows internals can dissect the source to see how it identifies credential blobs.
IT admins in shared environments, such as Remote Desktop Services or terminal servers, should note the implications. An attacker with local access—or via malware—could dump credentials from all users' Edge sessions, even disconnected ones. This underscores risks of relying on browser password managers in multi-tenant setups.
Red teamers might reference it for controlled pentests, after obtaining permission. Anyone auditing browser security hygiene will find it useful for awareness training. It's not for production monitoring; its narrow scope limits broader use.
Real-world context
In terminal server scenarios, multiple users run Edge under their sessions. Saved passwords persist in the shared parent process memory. A low-privilege user or scripted attack could enumerate processes via tasklist or WMI, then apply similar dumping logic. This project proves the vector without needing kernel drivers or debug privileges.
Microsoft's stance—that plaintext storage is intentional—stems from performance trade-offs in autofill. Edge prioritizes speed over isolating credentials per process. Compare this to Chrome, which uses encrypted SQLite files on disk (DPAPI-protected) and avoids full plaintext in memory dumps, though not immune to similar attacks with tweaks.
For awareness campaigns, pair it with talks on least-privilege principles. Run demos in isolated labs: save dummy creds, launch the dumper, show output. Emphasize responsible use per the README disclaimer.
How it compares
Few direct alternatives exist for Edge-specific dumping, as most tools target disk-based stores. Mimikatz handles LSASS and browser SQLite but skips Edge's in-memory plaintext. SharpChrome or similar C# Chrome dumpers focus on encrypted blobs, requiring DPAPI extraction.
BrowserPasswordDumper (various forks) covers multiple browsers' files but ignores runtime memory. For memory forensics, Volatility or Rekall plugins analyze dumps post-mortem, less interactive than this live tool.
This project stands out for simplicity: under 1,000 lines of C#, no dependencies beyond .NET. It's lighter than full suites like LaZagne, which scan files and registries across apps. Drawbacks include Edge version limits and single-purpose design. If you need cross-browser or persistent dumping, look to those instead.
The README repeats educational intent and legal warnings: no liability, user responsibility for compliance. Source code reveals straightforward WinAPI calls—EnumProcesses, pattern scanning for credential structs. Fixes might involve memory layout changes in future Edge updates.
Researchers verify claims by compiling and testing; 315 stars reflect niche interest in browser security gaps. Download from the GitHub repo for the latest. This tool fits narrow teaching roles but carries clear misuse risks in unauthorized hands. Source: GitHub repository.
Comments