Key Takeaways
- Microsoft Edge was loading all saved passwords into plaintext memory at browser start, even when not in use.
- Security researcher Tom Jøran Sønstebyseter Rønning disclosed the issue, showing how attackers could extract credentials via memory dumps.
- Microsoft initially defended the behavior as an “expected feature” but reversed course after community backlash.
- The forthcoming update will stop automatic password loading in all Edge channels, aligning with a defense‑in‑depth approach.
- The change reflects Microsoft’s broader Secure Future Initiative and highlights the growing importance of minimizing credential exposure in memory.
Introduction to the Discovery
Earlier this month, Norwegian security researcher Tom Jøran Sønstebyseter Rønning publicly disclosed that Microsoft Edge decrypts every password stored in its built‑in password manager as soon as the browser launches and retains those credentials in process memory in unencrypted form. The behavior occurs regardless of whether the user is actively filling a form or visiting a site that requires the stored login. Rønning’s findings highlighted a stark contrast with other Chromium‑based browsers, noting that Chrome employs stricter controls that keep credential exposure to a minimum.
Technical Details of the Memory Exposure
According to Rønning, Edge’s password manager calls the Windows Data Protection API (DPAPI) to decrypt saved credentials at startup and then leaves the plaintext usernames and passwords residing in the browser’s address space. This means that any process capable of reading Edge’s memory—such as a malicious DLL injected via a compromised administrator account—can harvest the credentials without needing to interact with the browser’s UI or file system. The exposure persists for the entire lifetime of the browser session, significantly widening the window of opportunity for memory‑scraping malware.
Proof‑of‑Concept Demonstration
To substantiate his claims, Rønning released a proof‑of‑concept tool that, when run with Administrator privileges, could dump passwords from other users’ Edge sessions by reading the browser’s process memory. Even without elevated rights, the tool could still access the credentials of the currently logged‑in user if the Edge process was accessible. The demonstration showed how easily an attacker could harvest banking logins, corporate VPN passwords, and cloud‑service tokens, turning a local foothold into a credential‑theft goldmine.
Microsoft’s Initial Defense
When Rønning first reported the issue through Microsoft’s private security channels, the company responded that the behavior did not constitute a security vulnerability because it fell within Edge’s existing threat model. After the disclosure became public, Microsoft reiterated this stance, stating, “This is an expected feature of the application,” and argued that an attacker who already possesses Administrator‑level access effectively controls the entire system, rendering additional browser protections unnecessary.
Criticism and the Defense‑in‑Depth Argument
Security professionals pushed back, emphasizing that modern browser security relies on defense‑in‑depth layers designed to limit damage even after a partial compromise. They noted that attackers often achieve local privilege escalation only after gaining an initial foothold, and reducing the amount of time credentials spend in plaintext memory can impede lateral movement within enterprise networks. Critics pointed out that infostealer families such as RedLine, Lumma, Vidar, Raccoon, and StealC specifically scrape browser memory to harvest login data for resale, making prolonged plaintext residency a significant risk factor.
Microsoft’s Reversal Announcement
Facing mounting scrutiny, Microsoft changed course this week. Edge Security Lead Gareth Evans announced that the company will modify Edge so saved passwords are no longer automatically loaded into memory when the browser starts. Evans confirmed that the update will affect all supported Edge channels—Stable, Beta, Dev, Canary, and Extended Stable enterprise releases—and emphasized that the change is being prioritized as part of Microsoft’s Secure Future Initiative (SFI), a company‑wide effort to bolster security engineering following several high‑profile cyber incidents.
Details of the Fix Rollout
The mitigation has already been deployed to Edge Canary builds and is slated for broader release in upcoming updates for Edge version 148 and newer. By preventing the automatic decryption of passwords at startup, Edge will now retrieve credentials only when they are needed for autofill or manual entry, thereby reducing the plaintext residency window to the minimal duration required for the operation. This shift aligns Edge’s behavior more closely with that of Chrome, Firefox, and Safari, which employ various memory‑hardening strategies to limit credential exposure.
Why Browser Memory Security Matters
Modern browsers function as de‑facto operating systems, storing vast amounts of sensitive data—including passwords, authentication cookies, session tokens, autofill information, payment details, browsing history, and cryptographic keys. Consequently, they are prime targets for cybercriminals seeking to steal credentials, hijack sessions, or facilitate further intrusion. Because attackers increasingly rely on memory scraping rather than direct database theft, minimizing the time secrets spend decrypted in memory is a critical defense mechanism. The longer credentials remain in plaintext, the higher the likelihood that malware can capture them during a memory dump or injection attack.
Broader Focus on Defense‑in‑Depth and the Secure Future Initiative
The Edge password memory reversal arrives amid heightened pressure on technology firms to fortify endpoint security against a surge in credential‑theft operations. Microsoft’s Secure Future Initiative, launched after a series of damaging breaches involving state‑sponsored actors and cloud infrastructure, aims to embed security engineering deeper into product development. Over the past year, Microsoft has introduced several browser‑hardening measures—such as blocking malicious extension sideloading, tightening legacy IE compatibility modes, and boosting investments in phishing resistance, passkeys, hardware‑backed authentication, and isolation technologies. The Edge update exemplifies how SFI is translating into concrete, user‑facing protections that reduce attack surfaces even when a behavior does not meet the strict definition of a vulnerability.
Implications and Conclusion
For enterprise administrators and everyday users alike, the forthcoming change will close off one of the most frequently exploited avenues used by modern infostealer malware—a threat category that has become one of the fastest‑growing segments of the cybercrime economy. As browser‑stored credentials increasingly serve as gateways to corporate VPNs, cryptocurrency wallets, and identity systems, even seemingly minor adjustments to how passwords are handled internally can yield outsized security benefits. The episode underscores the power of coordinated disclosure and community pressure: when researchers highlight unnecessary exposure, vendors can respond with mitigations that improve overall security posture, even if the original behavior was not classified as a formal vulnerability. By embracing a defense‑in‑depth mindset, Microsoft is taking a step toward making credential theft harder, thereby protecting both individual users and the broader digital ecosystem.