Key Takeaways
- Microsoft Edge stores saved passwords in cleartext within its process memory at all times, even when the browser is not actively used.
- An attacker with administrative privileges on a Windows terminal, Citrix, or VDI session can dump this memory and harvest all Edge‑saved credentials.
- The exposed credentials enable lateral movement, impersonation, credential stuffing, ransomware deployment, and other malicious activities.
- Unlike Chrome, Brave, and other Chromium‑based browsers that use App‑Bound Encryption (ABE) to decrypt passwords only when needed, Edge retains a design that keeps passwords constantly in memory.
- Microsoft has classified the behavior as “by design” and has not indicated plans to change it, leaving mitigation to organizational policy and user practices.
- Effective defenses include disabling password saving via Group Policy, adopting dedicated password‑management solutions, limiting admin rights, and monitoring for memory‑scraping behavior.
Introduction
A recent disclosure by security researcher Tom Jøran Sønstebyseter Rønning highlights a significant weakness in Microsoft Edge’s handling of saved passwords. The flaw allows anyone with administrative access to a Windows system to retrieve plaintext credentials from Edge’s process memory, regardless of whether the browser is actively in use. This issue has serious implications for shared corporate environments where terminal services, Citrix, or virtual desktop infrastructures (VDI) are common.
Discovery of the Vulnerability
Rønning, an offensive‑security/internal penetration tester and technical team lead at Norway’s Statnett SF, uncovered the problem during personal research. He demonstrated that Edge decrypts and stores every saved password in cleartext within its own process memory at all times. Notably, this occurs even if the user never visits the associated website after saving the credential. Rønning published a proof‑of‑concept (PoC) tool and supporting resources on GitHub after presenting his findings at Palo Alto Networks Norway’s BIG Bite of Tech conference.
How the Attack Works
With administrative privileges on a Windows endpoint—whether via a terminal server, Citrix session, or VDI—an attacker can read the memory of any logged‑on user process. By dumping Edge’s process memory, the attacker extracts all stored usernames and passwords in plaintext. Rønning explained to Dark Reading that once this memory access is achieved, the attacker can “snowball” into additional user credentials and escalate privileges, using the harvested data for lateral movement, impersonation, financial theft, or ransomware campaigns.
Why the Risk Is Amplified in Shared Environments
In enterprise settings where multiple users share a single machine or session, the impact multiplies. An admin who gains a foothold on one endpoint can potentially harvest credentials from every other user whose passwords are saved in Edge. This widens the blast radius: a single compromised endpoint can lead to credential exposure across numerous accounts and systems, undermining the assumption that password protection is limited to the individual user’s session.
Edge’s Design Versus Other Chromium Browsers
Edge is built on the open‑source Chromium framework, the same foundation used by Google Chrome, Opera, Brave, and Vivaldi. However, Rønning’s testing revealed that Edge is the only Chromium‑based browser that retains passwords in cleartext memory continuously. Chrome, for example, employs App‑Bound Encryption (ABE), which binds decryption to an authenticated Chrome process and only decrypts credentials when they are needed for autofill or user viewing. Consequently, Chrome’s plaintext passwords appear only briefly in memory, making large‑scale memory scraping far less effective. Brave and other ABE‑enabled browsers exhibit similar protection.
Microsoft’s Position
When Rønning reported the issue, Microsoft responded that the behavior is “by design.” The company’s rationale, as relayed by the researcher, is that once an attacker possesses administrator rights, traditional security boundaries are considered moot. Microsoft has not indicated any intention to alter Edge’s password‑storage mechanism, nor has it provided a public comment on potential mitigations despite requests from Dark Reading.
Defensive Recommendations for Organizations
For organizations that rely on Edge as the default browser in Windows environments, the most straightforward mitigation is to disable password saving via Group Policy. This prevents Edge from storing credentials altogether, eliminating the memory‑exposure vector. Personal users who cannot enforce such policies are advised to avoid Edge for password storage and consider alternative browsers with stronger protections.
Security experts such as Danwei Tran Luciani of Detectify recommend reducing reliance on browsers as credential stores in enterprise contexts. Instead, firms should adopt dedicated, managed password solutions that enforce stronger access controls, enforce the principle of least privilege by limiting local and admin rights, and implement rigorous endpoint monitoring—particularly for anomalous memory‑scraping activities. Attention should also be paid to where browsers are deployed; shared machines, virtual environments, and privileged sessions carry heightened risk and warrant stricter controls.
Conclusion
The discovery that Microsoft Edge retains saved passwords in cleartext process memory at all times exposes a critical gap in credential protection, especially within admin‑rich, shared‑use infrastructures. While Microsoft regards the current implementation as intentional, the security community views it as an unnecessary risk that can be mitigated through policy changes, alternative credential‑management tools, and vigilant monitoring. Organizations handling sensitive data should reassess their reliance on browser‑based password storage and adopt layered defenses to prevent credential theft from turning a local admin foothold into a widespread breach.