Microsoft says future versions of Edge will no longer decrypt and place saved passwords into process memory at startup, responding to a disclosure that showed credentials being loaded in clear text and could be extracted by attackers with Administrator privile
When Edge starts up, it has been doing something security researchers say it shouldn’t: pulling saved credentials out of storage, decrypting them, and keeping them in process memory in clear text.
The issue was demonstrated publicly on May 4 by researcher Tom Jøran Sønstebyseter Rønning. who showed that credentials stored in Edge’s built-in password manager were decrypted on launch and remained accessible in memory even when not in use.. Rønning also released a proof-of-concept tool aimed at attackers who already have Administrator privileges. capable of dumping passwords from other users’ Edge processes.. Without admin rights, the PoC was limited to Edge processes launched by the same user.
Rønning said he reported the behavior to Microsoft and was told it was “by design” before he disclosed it.. In his write-up. he pointed to a difference with other browsers. saying Edge was the only Chromium-based one he had tested that behaved this way.. He contrasted it with Chrome. which he said uses a design that makes it far harder to extract saved passwords just by reading process memory.
Microsoft’s position has now shifted from “expected” to a change in the product itself.. On Wednesday. the company announced that future Edge releases will stop loading saved passwords into memory at startup. even though Microsoft previously characterized the disclosed extraction scenario as fitting within its existing threat model.. That threat model, Microsoft says, excludes cases where an adversary already has administrative control of a device.
Edge Security Lead Gareth Evans said the update is being treated as a defense-in-depth move: “This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we’re prioritizing the rollout.”
Microsoft also framed the decision as a broader security look—one focused not only on whether behavior meets a strict “security issue” bar. but on reducing exposure where possible.. “Reducing the exposure of passwords in memory is a practical step in that direction. ” Evans said. tying the update to the company’s Secure Future Initiative and customer feedback.
The fix has already landed in the Edge Canary channel. It will be included in the next update for all supported Edge releases starting with build 148 and newer.
The announcement comes after Microsoft made other Edge security moves over the last year. including new protections intended to limit the risk from malicious extensions sideloaded into the browser.. Microsoft also restricted access to Edge’s Internet Explorer mode after hackers began using zero-day exploits in the Chakra JavaScript engine to reach target devices.
Microsoft Edge passwords cleartext memory security researcher Canary channel Chromium defense-in-depth cybersecurity