Inherited Browser Credential Risk in Public Sector: Why Patching Falls Short

0
4

Key Takeaways

  • Microsoft Edge previously loaded the entire saved‑password vault into plaintext process memory at browser start, keeping it accessible for the whole session.
  • A Norwegian security researcher showed that credentials could be extracted with only elevated‑process‑memory access, using readily available infostealer malware.
  • Microsoft initially defended the behavior as “by design,” arguing admin access already compromises the device, but reversed the stance under public pressure and released Edge 148, which stops pre‑loading passwords.
  • The fix does not erase historic exposure; credentials that were in memory while the flaw existed remain a risk, especially on shared or terminal‑server workstations common in the public sector.
  • Public‑sector environments amplify the impact because shared machines store credentials for multiple users, often linked to broad administrative rights, and off‑boarding rarely clears browser‑saved passwords.
  • Technical mitigation (Edge 148) must be paired with formal policy: disable the built‑in password manager via Group Policy or Intune, inventory browser‑stored credentials, and integrate credential hygiene into onboarding/off‑boarding workflows.
  • Agencies should verify the Edge version across their estate, audit existing password stores, and treat browser credential handling as a governance issue, not merely a patch‑management task.

Overview of the Edge password memory issue
Microsoft Edge, as the default browser bundled with Windows, was found to load the complete saved‑password vault into plaintext process memory each time the browser launched. Unlike Chrome and Brave, which employ app‑bound encryption and decrypt credentials only during autofill, Edge kept the full vault decrypted for the entire user session. This design meant that any process with sufficient privileges could read all stored passwords at any moment, turning the browser into a persistent credential repository rather than a just‑in‑time decryption service.

Researcher demonstration and proof‑of‑concept
In early May 2026, Norwegian security researcher Tom Jøran Sønstebyseter Rønning published a proof‑of‑concept tool that extracted Edge’s plaintext password vault from memory. The exploit required only the ability to read process memory with elevated privileges—no sophisticated zero‑day chaining or kernel exploits. The researcher highlighted that off‑the‑shelf infostealer malware, sold for a few hundred dollars per month on underground forums, already automates this exact technique, scraping browser memory for credentials without needing advanced skill.

Microsoft’s initial “by design” stance
Microsoft’s first response defended the behavior as intentional, asserting that if an attacker already possesses administrator‑level access, the device is compromised and the browser is not the final line of defense. While technically accurate, the reply missed the point: admin access does not guarantee that all sensitive data is equally exposed. Edge’s always‑decrypted vault amplified the impact of such access, turning a broad compromise into a credential‑harvesting bonanza.

Public pressure and the Edge 148 fix
Within two weeks of the researcher’s disclosure, public criticism forced Microsoft to reverse its position. The company announced that Edge version 148 would cease loading passwords into memory at startup, adopting a decrypt‑on‑demand approach similar to Chrome and Brave. The patch was notable for its speed—turning a long‑held design decision into a remedial update in a fortnight—but it addressed only future exposure, not the data that may have already been harvested.

Why the fix matters for public sector
Public‑sector IT estates frequently rely on shared workstations, terminal servers, and shift‑based machines where multiple users log on and off throughout the day. In these settings, a single administrative breach can expose every session residing in memory, including those of users who logged off hours earlier. Because Edge kept the full password vault in plaintext, any attacker with admin rights could instantly harvest credentials for all accounts stored on the machine, magnifying the damage of a compromised workstation in benefits offices, licensing departments, or administrative service desks.

Shared‑machine exposure in government environments
Shared machines are commonplace across government agencies, often connected to terminal‑server environments where disconnected sessions remain loaded in memory. When an attacker gains administrative access on such a system, they can reach every user’s session, extracting not only current passwords but also those belonging to employees who have already logged off. This persistence is especially problematic given that public‑sector IT estates are typically built over decades, with loosely segmented systems and entitlements that accumulate over time without regular pruning.

Credential reuse and lateral movement risks
Credentials harvested from a browser on a shared government workstation often unlock more than the immediate application; they frequently provide broad administrative rights that span multiple, inadequately reviewed systems. Attackers can use these credentials as a foothold for lateral movement, navigating across authentication domains that were never formally aligned. Moreover, staff turnover—contractors, temporaries, and rotating workers—means that browser‑saved passwords are seldom cleared during off‑boarding, leaving stale credentials in the vault that belong to individuals no longer affiliated with the agency.

Policy gaps and the need for governance
The Edge 148 update will not install itself; it requires active deployment via Group Policy, Microsoft Intune, or another centralized management tool. Many agencies have not yet configured browser policy at that level, leaving the update pending on individual machines or absent on intermittently connected devices. Beyond version verification, the more consequential decision concerns the built‑in password manager: most public‑sector environments have never formally governed its use, allowing staff to save credentials for convenience. This ad‑hoc practice created an uncontrolled credential store outside any inventory, turning the browser’s memory behavior into a blind spot in security governance. Disabling the password manager through policy, documenting ownership, and integrating credential hygiene into onboarding and off‑boarding procedures are essential steps to close this gap.

Next steps and recommendations
Agencies should first verify that Edge 148 (or later) is running across all endpoints, prioritizing shared and terminal‑server machines. Next, conduct an inventory of browser‑saved passwords, purge unnecessary entries, and disable the built‑in password manager via centralized policy. Incorporate browser credential checks into existing asset‑management and identity‑governance workflows, ensuring that off‑boarding includes clearing stored passwords. Finally, treat browser credential handling as a policy issue rather than a mere patch: establish clear guidelines, monitor compliance, and educate users about the risks of storing passwords in browsers on shared devices. By coupling the technical fix with rigorous governance, public‑sector organizations can mitigate both the immediate risk revealed by Edge’s memory behavior and the broader threat of credential‑based lateral movement.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here