Microsoft: Edge loads full password vault into RAM ‘by design’
A researcher found Microsoft Edge places the entire saved password vault in plaintext RAM at startup. Microsoft called the behavior ‘by design’ after a proof-of-concept demonstration.
A security researcher who tested major Chromium-based browsers reported that Microsoft Edge loads the entire saved password vault into plaintext process memory at startup and keeps it there for the session.
The researcher published a proof-of-concept showing saved credentials can be read from the browser’s process memory. The demonstration did not rely on a browser vulnerability; it used the ability to read another process’s memory, a capability that typically requires elevated privileges on the machine.
In the researcher’s tests, Google Chrome and other Chromium browsers decrypted individual passwords only when needed for autofill or when a user requests to display a password. Those browsers were observed to protect encryption keys using platform-specific measures such as app-bound encryption. The researcher reported that Edge does not follow that decrypt-on-demand pattern in this context.
After the researcher disclosed the finding to Microsoft, the company called the behaviour ‘by design’. Microsoft did not provide additional public detail about whether Edge will change how it handles in-memory credential storage or whether future updates will alter key protection or decryption timing.
Security researchers note that reading another process’s memory generally requires a prior compromise or elevated access, such as code execution or software running with sufficient permissions. The researcher emphasized the proof-of-concept shows an attacker with the ability to inspect process memory could retrieve stored credentials without exploiting a browser bug.
A 2024 academic study also found that several password managers can expose plaintext passwords in memory under certain conditions. The researcher’s report and the academic work have drawn renewed attention to how built-in browser password managers handle stored credentials and to additional protections such as multi-factor authentication.
The researcher’s disclosure focused on differences in how Chromium-based browsers manage decrypted credentials in memory and on the practical ability to extract those credentials when an attacker can read process memory. Microsoft’s characterization of Edge’s behavior as ‘by design’ indicates the company does not classify the finding as a vulnerability requiring a patch at this time.
