Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Home/CyberSecurity News/Microsoft Edge Stores Passwords in Cleartext Process Memory
CyberSecurity News

Microsoft Edge Stores Passwords in Cleartext Process Memory

Key Takeaways Microsoft Edge decrypts all saved user passwords into cleartext memory upon launch, where they remain accessible throughout the browsing session. This behavior contrasts sharply with...

Jennifer sherman
Jennifer sherman
May 5, 2026 4 Min Read
61 0

Key Takeaways

  • Microsoft Edge decrypts all saved user passwords into cleartext memory upon launch, where they remain accessible throughout the browsing session.
  • This behavior contrasts sharply with other Chromium-based browsers like Google Chrome, which decrypt credentials only when actively needed.
  • The vulnerability significantly escalates risk in multi-user environments, allowing an attacker with administrative access to harvest credentials from all active Edge users.
  • Microsoft has acknowledged this behavior, stating it is “by design” and falls outside the browser’s defined threat model for local attack conditions.

A cybersecurity researcher has uncovered a critical flaw in Microsoft Edge, revealing that the browser decrypts and stores all saved user passwords in cleartext within its process memory from the moment it starts. These sensitive credentials remain unencrypted and easily accessible, regardless of whether the user interacts with the associated websites, presenting a significant security risk.

Table Of Content

  • Key Takeaways
  • Edge’s Security Posture Versus Competitors
  • Illusory Protections and Elevated Risks
  • Microsoft’s Stance and Mitigation
  • What You Should Do

The discovery, made public on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was the work of researcher @L1v1ng0ffTh3L4N. The researcher conducted a comprehensive analysis of credential memory handling across various major Chromium-based browsers, identifying Edge as the sole browser exhibiting this persistent cleartext storage behavior.

Edge’s Security Posture Versus Competitors

Unlike Microsoft Edge, other browsers, notably Google Chrome, employ more robust security measures for password management. Chrome utilizes an on-demand decryption approach, ensuring that saved credentials are only decrypted into memory precisely when required, such as during autofill operations or when a user explicitly requests to view a password.

Furthermore, Chrome enhances this protection through App-Bound Encryption. This mechanism cryptographically links decryption keys to an authenticated Chrome process, effectively preventing unauthorized processes from reusing these keys to access stored credentials. Edge, however, lacks these crucial safeguards. From the instant the browser is launched, the entire vault of saved passwords for every site is loaded into plaintext within the browser’s process memory, creating an expansive and persistent target for any attacker capable of reading that memory space.

Illusory Protections and Elevated Risks

A particularly contradictory aspect of this finding is Edge’s user interface behavior. Despite holding all passwords in cleartext memory, the browser still prompts users for re-authentication before displaying saved passwords within its Password Manager interface. This re-authentication serves only as an illusion of access control, offering no genuine protection against an attacker who can directly query the browser’s process memory.

The severity of this vulnerability intensifies dramatically in shared or multi-user computing environments, such as Remote Desktop Services (RDS) or terminal servers. In such scenarios, an attacker who gains administrative privileges can simultaneously read the memory of every active user process. A proof-of-concept video released alongside the disclosure demonstrated this risk: a compromised administrator account successfully extracted stored credentials from two other logged-on users, including those with disconnected but still active sessions, by simply accessing their Edge browser process memory.

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB

— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

This capability transforms a single administrator-level compromise into a comprehensive credential harvesting operation across an entire multi-user environment, aligning directly with MITRE ATT&CK technique T1555.003, which addresses credential extraction from web browsers.

Microsoft’s Stance and Mitigation

Upon responsible disclosure of the vulnerability, Microsoft’s official response was that this behavior is “by design.” The company’s public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, classifying such scenarios as falling outside the browser’s defined threat model.

To aid in independent verification and raise awareness, the April 29 disclosure at BigBiteOfTech included a small educational tool. This tool allows users to confirm whether their Edge browser is indeed holding cleartext credentials in process memory.

What You Should Do

  • For Individual Users: Consider using a dedicated password manager application that stores credentials separately from the browser and requires a master password for access. Alternatively, migrate to a browser that employs on-demand decryption and app-bound encryption, such as Google Chrome.
  • For Organizations with Shared Environments: Security teams managing Windows environments, especially those operating terminal servers, VDI environments, or any shared-access systems with Edge deployed, should treat this as a high-priority configuration risk. It is strongly recommended to migrate to browsers offering more robust memory protection for credentials or implement strict controls to prevent local administrative compromise.
  • Implement Principle of Least Privilege: Ensure that users, especially in shared environments, operate with the minimum necessary privileges to reduce the impact of potential local compromises.
  • Monitor for Suspicious Activity: Enhance monitoring for unusual process memory access or credential harvesting attempts in environments where Edge is in use.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreatVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Apache HTTP Server Bug CVE-2021-41773 Lets Attackers Remotely Execute Code

Next Post

pnpm v8.11.0 Hardens Supply Chain Security, Mitigates npm Risks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us