16

Since we are accessing Gmail from the Edge browser, Microsoft could have access to the Gmail password. Theoretically, Microsoft can track this password along with sending it to Gmail servers. What prevents Microsoft from tracking password (and using it in a malicious way)? Is it solely fear of losing reputation/face or some technical reason prevents this from happening at all in the first place?

Edit : One similar basic question on security : What prevents random software installation popups from mis-interpreting our consents

Improve this question
8
  • 37
    This isn't specific to Edge, but any browser. And the answer is "there is nothing that prevents this". That's why being very careful about what browser extension you use is also important. Commented Aug 28, 2024 at 20:20
  • 12
    And that's not specific to browsers too: any software you run have ways to extract information from your systems. Commented Aug 28, 2024 at 20:21
  • 20
    And the OS too, for that matter. Commented Aug 28, 2024 at 20:22
  • 13
    And to make OP even more paranoid: the firmware running on your HDD, and the hardware inside your keyboard too. Commented Aug 28, 2024 at 20:29
  • 9
    The fact that most, if not all, browsers will by default ask if you want them to store your passwords and other credentials should make it obvious that they have access to them. Commented Aug 29, 2024 at 20:35

4 Answers 4

Reset to default
58

There's no technical feature which prevents the browser from stealing or misusing website passwords. The browser GUI receives the password as plaintext as soon as you type it in. What does prevent misuse is that it's going to violate the laws in many countries and cause major harm (legally and financially) to the browser vendor.

But this certainly highlights the fact that browsers have access to extremely critical data and should be chosen very carefully.

Improve this answer
11
  • 5
    Very good answer. I feel like this extends further than just the browser- by definition, the operating system could also be able to intercept keystrokes and send critical data back to their servers. However, this is simply not legal. It would be fatal for a company like Apple, Microsoft, Google, or any large software corporation to add such spyware to their products. They would be subject to horrid PR, ruthless legal charges, and a user base who would all leave their products. Commented Aug 29, 2024 at 4:42
  • 8
    That boils down to not to use proprietary software (Edge, Chrome, ...). The FOSS software has the source code available, is regularly audited and changes are followed by many people, which makes sneaking such "backdoors" much more complicated (obviously unless users are lured to install malicious extensions). Commented Aug 29, 2024 at 10:54
  • 1
    @JamesThorpe Exactly, in a closed source application an employee could have injected malicious code and that would have been deployed widely and would have taken years and years for the flaw to find out. The "xz utils backdoor" was discovered immediately after release thanks to FOSS. And keep in mind that your remote employees could be north korean hackers. Commented Aug 29, 2024 at 17:02
  • 2
    @Jakuje Source code available doesnt mean anyone reads it. And it means I can take a perfectly safe browser, change the source code to mss as me it spy on end users, and trick my exact target into using it. Commented Aug 31, 2024 at 0:19
  • 1
    @Xiddoc "who would all leave their products". Well, I'm a bit cynical about the "all" part of this statement. We've seen things like the Sony BMG rootkit and Lenovo Superfish scandals where there was a lot of backlash, but certainly not all customers left Sony or Lenovo. But the general idea is correct. Commented Sep 3, 2024 at 18:40
2

Nothing stops them, but it would be difficult for them to get away with it without being found out. Many paranoid users run monitoring software (e.g. Little Snitch for Macs, OpenSnitch for Linux, similar tools for Windows) that would detect the browser opening extra network connections to send this information back to the control site. If the browser vendor is in league with the OS vendor (or they're the same, e.g. Microsoft provides both Windows and Edge, Apple provides both MacOS and Safari), they may be able to add additional measures to the OS to thwart this monitoring. But this suffers from some flaws:

  • It doesn't work for users who run the browser on another OS.
  • Users can run monitoring software on their router, out of reach of the OS.

Even if you posit a conspiracy between the OS/browser provider and router manufacturers, there are third-party, open-source router firmwares.

And if the browser is open source, as in the case of the Chromium core of Google Chrome and Edge, and Mozilla Firefox, it would be found in the public source code. Although in the cases of Chrome and Edge, it might be outside the open-source parts.

As long as there's healthy competition in the browser market, a provider who does this would just be shooting themselves in the foot. When they're caught, the users would just switch to a different, safer browser. There's almost never been a time when users didn't have a choice of several browsers, except maybe the first year or so of the web's existence.

Improve this answer
2
  • 3
    Your logic here is ... sketchy. One could run a "collecting" browser on another OS. Ok fine, but then the browser could easily be coded to look for the preferred OS. Browsers "phone home" all the time (with encrypted data), so data can be passed at any time and avoid detection. How are routers relevant? Just because something can't feasibly be a 100% solution, that doesn't mean that it can't happen, so I'm really not sure what you are trying to say with this answer. So, all you end up concluding is the same thing as the accepted answer, but with strange tangents. Commented Aug 29, 2024 at 14:58
  • 1
    Good point about browsers phoning home for things like auto-complete. The main thing I was trying to say is that any popular application will be scrutinized in various ways and they're likely to be caught. Commented Aug 29, 2024 at 15:21
2

There is nothing that prevents this. If this is something you are worried about, choose a browser whose source code is publicly available (e.g. Firefox and forks, Chromium), audit the code of the browser to see whether it has anything like that, then compile it yourself. Of course you still need to trust the operating system and the compiler, so you may need to follow these steps for these pieces of software too.

It is unlikely that a browser whose source code is publicly available does something like this because somebody would certainly have noticed by now. With closed-source software such as Edge or Google Chrome - or even technically precompiled binaries of FOSS browsers - who knows.

Improve this answer
7
  • 7
    "reviewing the code yourself" takes an incredible amount of both time and skill for a browser. Once you include the OS ... forget about it. This answer is of limited usefulness... Commented Aug 29, 2024 at 16:13
  • @schroeder I do not dispute this; it is however the theoretically correct solution to not trusting software. Commented Aug 29, 2024 at 18:37
  • 2
    Chrome does indeed do this, but openly and behind an opt-in. Of course, it is not intended to nefariously steal the user's passwords, merely to help the user remember them. But it meets all of the technical criteria described in the question. Commented Aug 29, 2024 at 19:10
  • 3
    "you may need to follow these steps for these pieces of software too" --> this leads to a viscous cycle - how to trust the compiler used to compile the compiler? A solution to break this cycle can be applied to the original issue and negate the need to download & compile. Commented Aug 30, 2024 at 2:13
  • 1
    There is a project called "live-bootstrap" to start from a tiny binary stub, small enough to hand audit and build up from there using only source code, which could in principle be audited. It's a long road though from the tiny binary stub to a modern OS and just because something can be audited doesn't mean it actually has been. Commented Aug 31, 2024 at 1:23
2

Nothing does, and this is why you need an extremely high degree of trust in your browser as well as any other system components (operating system, input methods, etc.) that have access to your inputs or through which sensitive information transits.

This is why it is highly malicious behavior when mobile apps like Facebook ship their own in-app browsers that hijack links from within the app and load them in the in-app browser rather than launching the system browser. Most users do not understand the difference, and if they navigate to a site which asks for their password, do not understand that they are entering their password to a sketchy in-app browser rather than the browser they trust.

Improve this answer
1
  • +1: I feel that this answer deserves more recognition for its mention of malicious in-app browsers. Commented Apr 25, 2025 at 14:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.