Microsoft Edge Stores Passwords in Cleartext Process Memory
Key Takeaways Microsoft Edge decrypts all saved user passwords into cleartext memory upon launch, where they remain accessible throughout the browsing session. This behavior contrasts sharply with...
Key Takeaways
- Microsoft Edge decrypts all saved user passwords into cleartext memory upon launch, where they remain accessible throughout the browsing session.
- This behavior contrasts sharply with other Chromium-based browsers like Google Chrome, which decrypt credentials only when actively needed.
- The vulnerability significantly escalates risk in multi-user environments, allowing an attacker with administrative access to harvest credentials from all active Edge users.
- Microsoft has acknowledged this behavior, stating it is “by design” and falls outside the browser’s defined threat model for local attack conditions.
A cybersecurity researcher has uncovered a critical flaw in Microsoft Edge, revealing that the browser decrypts and stores all saved user passwords in cleartext within its process memory from the moment it starts. These sensitive credentials remain unencrypted and easily accessible, regardless of whether the user interacts with the associated websites, presenting a significant security risk.
Table Of Content
The discovery, made public on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was the work of researcher @L1v1ng0ffTh3L4N. The researcher conducted a comprehensive analysis of credential memory handling across various major Chromium-based browsers, identifying Edge as the sole browser exhibiting this persistent cleartext storage behavior.
Edge’s Security Posture Versus Competitors
Unlike Microsoft Edge, other browsers, notably Google Chrome, employ more robust security measures for password management. Chrome utilizes an on-demand decryption approach, ensuring that saved credentials are only decrypted into memory precisely when required, such as during autofill operations or when a user explicitly requests to view a password.
Furthermore, Chrome enhances this protection through App-Bound Encryption. This mechanism cryptographically links decryption keys to an authenticated Chrome process, effectively preventing unauthorized processes from reusing these keys to access stored credentials. Edge, however, lacks these crucial safeguards. From the instant the browser is launched, the entire vault of saved passwords for every site is loaded into plaintext within the browser’s process memory, creating an expansive and persistent target for any attacker capable of reading that memory space.
Illusory Protections and Elevated Risks
A particularly contradictory aspect of this finding is Edge’s user interface behavior. Despite holding all passwords in cleartext memory, the browser still prompts users for re-authentication before displaying saved passwords within its Password Manager interface. This re-authentication serves only as an illusion of access control, offering no genuine protection against an attacker who can directly query the browser’s process memory.
The severity of this vulnerability intensifies dramatically in shared or multi-user computing environments, such as Remote Desktop Services (RDS) or terminal servers. In such scenarios, an attacker who gains administrative privileges can simultaneously read the memory of every active user process. A proof-of-concept video released alongside the disclosure demonstrated this risk: a compromised administrator account successfully extracted stored credentials from two other logged-on users, including those with disconnected but still active sessions, by simply accessing their Edge browser process memory.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
This capability transforms a single administrator-level compromise into a comprehensive credential harvesting operation across an entire multi-user environment, aligning directly with MITRE ATT&CK technique T1555.003, which addresses credential extraction from web browsers.
Microsoft’s Stance and Mitigation
Upon responsible disclosure of the vulnerability, Microsoft’s official response was that this behavior is “by design.” The company’s public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, classifying such scenarios as falling outside the browser’s defined threat model.
To aid in independent verification and raise awareness, the April 29 disclosure at BigBiteOfTech included a small educational tool. This tool allows users to confirm whether their Edge browser is indeed holding cleartext credentials in process memory.
What You Should Do
- For Individual Users: Consider using a dedicated password manager application that stores credentials separately from the browser and requires a master password for access. Alternatively, migrate to a browser that employs on-demand decryption and app-bound encryption, such as Google Chrome.
- For Organizations with Shared Environments: Security teams managing Windows environments, especially those operating terminal servers, VDI environments, or any shared-access systems with Edge deployed, should treat this as a high-priority configuration risk. It is strongly recommended to migrate to browsers offering more robust memory protection for credentials or implement strict controls to prevent local administrative compromise.
- Implement Principle of Least Privilege: Ensure that users, especially in shared environments, operate with the minimum necessary privileges to reduce the impact of potential local compromises.
- Monitor for Suspicious Activity: Enhance monitoring for unusual process memory access or credential harvesting attempts in environments where Edge is in use.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.