A new security finding reveals that Microsoft Edge loads every saved password into its process memory as cleartext the moment the browser launches.
Even more surprising to security professionals is Microsoft’s official response to the disclosure, which states that this insecure behavior is entirely “by design.”
How the Memory Flaw Works
According to a recent threat intelligence report, Edge poses a significant security risk to users who store their credentials natively in the browser. Unlike other modern web browsers, Edge does not wait for a user to visit a specific website.
Instead, it decrypts and stores every single saved password in its memory as soon as the application opens. This cache includes credentials for websites that the user will not even visit during their current session.
Security researcher @L1v1ng0ffTh3L4N tested every major Chromium-based browser and found that Edge is the only one operating this way. For comparison, Google Chrome takes a much more secure approach.
Chrome decrypts credentials strictly on demand. It uses App-Bound Encryption to bind cryptographic keys to an authenticated Chrome process, preventing other processes from stealing them.
In Chrome, plaintext passwords are stored in memory only during autofill actions or when a user actively views them in settings, making memory-scraping attacks much less effective.
The most severe impact of this design choice happens in shared computing environments. On a terminal server, this Edge behavior creates an easy opportunity for massive credential harvesting.
If an attacker gains administrative rights, they can read the memory of every user process currently running on the machine.
A published Proof of Concept (PoC) video perfectly demonstrates this active threat. In the video, a compromised admin account successfully steals credentials stored for two other users on the same system.
The attacker can extract these passwords as long as the victims have Edge running in the background, even if their sessions are currently disconnected.
Adding to the confusion, Edge still requires users to re-authenticate, such as entering a PIN or Windows password, before viewing passwords in the built-in Password Manager interface.
Yet, the browser process already holds all those same passwords in plaintext memory behind the scenes, making the UI security prompt largely theatrical.
The vulnerability was officially disclosed on April 29 at the BigBiteOfTech conference by Palo Alto Networks Norway.
Alongside the public disclosure, the researcher released a small educational tool on GitHub. This tool, named “EdgeSavedPasswordsDumper,” allows security teams to verify the cleartext memory storage on their own systems.
Until Microsoft changes its stance on this architecture, cybersecurity experts strongly recommend that enterprise users avoid saving sensitive credentials directly within Microsoft Edge.
Relying on dedicated, third-party password managers that decrypt data strictly on demand remains the safest defense against memory scraping.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
