Microsoft Edge “by design” decrypts and loads all saved user passwords into memory, where they remain in cleartext throughout the session. This makes credential harvesting easier for attackers, a security researcher warns. However, if a hacker is in a position to read from your memory, the user already has big problems.
Security researcher Tom Jøran Sønstebyseter Rønning discovered a unique Microsoft Edge behavior: on startup, the browser loads all saved passwords into memory and keeps them in cleartext for the entire duration of the session.
“This happens even if you never visit a site that uses those credentials,” the researcher posted on X.
“Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
This makes it easier for attackers to extract saved passwords by reading process memory.
Chrome, for example, only decrypts a password when it is needed and also uses Application-Bound Encryption feature as an additional defence against information theft, which locks the keys to an authenticated Chrome process, running as SYSTEM. Therefore, passwords only briefly appear in plain text during autofill, or when users view them.
Curious what others think about this story? Contribute your thoughts to the debate below.
The researcher warns that an attacker with administrative access on a terminal server can access memory of all logged-on user processes. The proof of concept demonstrates that hackers could access user passwords of other users even while Edge is running.
“I reported this to Microsoft, and the official response was that the behavior is ‘by design.’ They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions,” the researcher concluded.
Still, exploiting this bug requires administrative privileges on the system, which can already be considered a full compromise. Security experts on Hacker News noted that administrative access can be abused to extract passwords from any browser.
“If you can read arbitrary process memory, you’re probably also in a position to just dump out the passwords by pretending to be the user in question,” one of the users said.
“Once an attacker gains administrator access, it is game over by definition,” another one responded.
Microsoft: This helps users sign in quickly and securely
Microsoft acknowledges that this behavior is by design.
“Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats,” a Microsoft spokesperson explained.
“Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”
Security experts have always advised against using web browsers to store passwords. Raging infostealer malware attacks exploit user and system weaknesses to extract credentials in seconds. It's paramount to use multi-factor authentication and, wherever possible, migrate to passkeys as a more secure alternative.
Updated on May 6th [06:20 a.m. GMT] with a statement from Microsoft.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked