Microsoft Says Edge Password Security Vulnerability Is ‘By Design’—Is It Time To Switch To Chrome?
Microsoft says the design speeds sign-ins, but researchers warn it leaves saved credentials exposed in memory to anyone with admin access.
- Security researcher Tom Jøran Sønstebyseter Rønning discovered on Monday that Microsoft Edge loads all saved passwords into RAM in cleartext at startup, creating a potential security vulnerability.
- Unlike Google Chrome, which decrypts credentials only when needed, Edge keeps all passwords resident in process memory throughout the session. Rønning warned that Edge is the only Chromium-based browser he tested exhibiting this behavior.
- Security researcher Rob VandenBrink replicated the findings using "Create Memory Dump," while Morey Haber, chief security advisor at BeyondTrust, stated the practice "violates the principles of least privilege, zero trust, and secure application design."
- Microsoft acknowledged the behavior, asserting it improves performance and is an "expected feature." A spokesperson stated, "Access to browser data as described in the reported scenario would require the device to already be compromised."
- Experts broadly agree that administrative access equals full system compromise, sparking debate over whether the risk is overblown. Security professionals recommend using dedicated password managers rather than relying on browser-based storage.
13 Articles
13 Articles
Microsoft Edge stores all your saved passwords unencrypted in memory
Security researcher Tom Jøran Sønstebyseter Rønning recently shared evidence that Microsoft's web browser-based password manager stores all of its saved passwords in memory without encryption while running. He released and demonstrated a simple proof of concept that displays the passwords and their associated accounts.Read Entire Article
Edge browser has a serious password safety problem, but Microsoft says it’s by design
A security researcher found that Microsoft Edge loads all saved passwords into unencrypted memory at startup, keeping them exposed for the entire session even when they are not in use.
Windows 10 and 11 use memory isolation to run processes in separate virtual address spaces. However, under certain conditions, an ordinary application process can continue to access the memory of another process in user mode. This raises the fear that malware running with normal user rights can directly extract sensitive information such as passwords and authentication tokens [...] The post Microsoft-Edge stores passwords in RAM as plain text fi…
Coverage Details
Bias Distribution
- 80% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
