Microsoft has recently come under fire for how its Edge browser handles your saved passwords. A security expert named Tom Jøran Sønstebyseter Rønning has shared a worrying discovery about the Microsoft Edge web browser. It turns out that when you use Edge to save your passwords, the browser turns them into plaintext as soon as the app starts.
For context, Plaintext means the passwords are not scrambled or hidden. They sit in the computer memory as plain words that anyone with administrative privileges or SYSTEM-level access can read.
Rønning shared these findings at a tech event in Oslo called Big Bite of Tech 26. The event was hosted by the research firm Palo Alto Networks Norway. He explained that Edge is the only browser he tested that works this way, whereas other browsers like Google Chrome are safer because they use a method called App-Bound Encryption (ABE).
This feature locks the passwords to the specific browser app and only unscrambles them when you actually need to log in to a site. Once you are done, the browser hides them again.
Why is this a problem for users
The main worry is that these passwords stay in the computer memory even if you never visit the websites they belong to. To show how easy it is to see this data, Rønning created a tool called EdgeSavedPasswordsDumper and put it on GitHub.
This tool proves that if a hacker or an infostealer gets control of a computer, they can scan the process memory of the browser to find these saved passwords.
This is a big deal for offices that use terminal servers, Citrix, or Virtual Desktop Infrastructure (VDI), where many people share one machine. In these shared setups, an attacker with administrative rights can perform cross-process memory access to see the data of every user who is logged in and then steal passwords from people who aren’t even using the browser at that moment.
What Microsoft says about the issue
When Rønning told Microsoft about this, the company said the setup was by design. The company maintains that they have to balance how fast the browser works with how safe it is. They believe that if a hacker has already gained in-depth access to your computer to scan the memory, the device is already in big trouble.
Because Microsoft doesn’t plan to change this soon, some experts suggest changing how you save your details. While Chrome uses better protection to stop other processes from stealing its keys, no browser is perfect. So, it’s better to use a separate password app instead of saving them inside your web browser, as this will keep your data away from the browser’s memory, where hackers can easily find it.
Experts’ Perspectives
Experts shared their thoughts with Hackread.com, warning that this design choice creates a massive safety gap. Craig Lurey, from the Chicago-based firm Keeper Security, noted that while Windows tries to keep apps separate, one program can still often “pillage” the memory of another.
He added that since plaintext passwords exist in Edge’s memory, other processes can read them “without restriction.” To fight this, his firm created Keeper Forcefield, which uses kernel-level protection to block hackers from reading app memory even if the computer is already compromised.
Morey Haber, from the Atlanta-based firm BeyondTrust, also criticised the move. He explained that passwords should be “transient secrets” that are used and then quickly discarded. “The moment a password is retained in clear text memory… it stops being an authentication mechanism and becomes a liability,” Haber warned. He added that if a password can be read in memory by a human or a malicious process, “it is already compromised.”
