A new security report has raised concerns about how Microsoft Edge handles saved passwords. A cybersecurity researcher claims the browser loads all stored credentials into system memory in plain text, which makes them easier to access under certain conditions.
The issue was highlighted by security researcher Tom Jøran Sønstebyseter Rønning, who also released a proof-of-concept tool to demonstrate the behavior. According to his findings, Edge decrypts every saved password at startup and keeps them in readable form in RAM, even if the user does not visit those websites during the session.
In simple terms, when you open Edge, all your saved usernames and passwords are loaded into memory in plain text. This means they are not encrypted while the browser is running. The researcher showed that these credentials can be extracted using memory inspection tools if someone has enough access to the system.
This behavior appears to be unique to Edge among Chromium-based browsers. Alternatives like Google Chrome and Brave typically decrypt passwords only when needed, instead of keeping the entire database exposed in memory.
Microsoft does not see this as a vulnerability. The company reportedly classified the behavior as intentional. In its response, Microsoft said that accessing this data would require the device to already be compromised. It also explained that loading passwords into memory helps improve performance and makes sign-in faster for users.
Technically, this is not a remote exploit. An attacker cannot access your passwords over the internet using this issue alone. They need local or administrative access to your system first. But that does not make it harmless.
If a system is already compromised by malware, this design makes things much easier for attackers. Instead of breaking encryption, they can simply read passwords directly from memory.
The risk becomes higher in shared environments like offices, schools, or enterprise systems. If one account with admin access is compromised, it could expose credentials from multiple users running Edge on the same machine.
Microsoft is not completely wrong here. If an attacker has full access to your system, you already have a serious problem. At that point, many defenses can be bypassed.
But that logic feels a bit incomplete. Security today is about layers. Even if one layer fails, others should slow down or limit damage. In this case, Edge removes one important layer by keeping all passwords ready in plain text throughout the session.
This design also feels inconsistent. Edge still asks for authentication when you try to view saved passwords, but internally, those passwords are already exposed in memory. That creates a false sense of security.
Another important point is comparison. Other browsers have moved to on-demand decryption and additional protections. Edge choosing a different path raises questions, especially when the industry is moving toward stricter security practices.
Although users do not need to panic. This is not something that can be exploited remotely without access to your device. But it again shows the importance of a dedicated password manager in place, saving passwords in the browser. Dedicated tools like NordPass or Proton Pass follow a more security-focused approach, with stronger encryption and tighter controls over how credentials are accessed. Even if you do not switch completely, using such tools for important accounts can add an extra layer of protection.
Related Posts
