Edge loads full password vault into plaintext memory — Microsoft
A researcher found Edge loads the full saved-password vault into plaintext process memory at startup and leaves it readable for the session; Microsoft calls the behavior “by design”.
A security researcher who tested major Chromium-based browsers reported that Microsoft Edge loads the full saved-password vault into plaintext process memory at startup and leaves it readable for the duration of the session. The researcher published a proof-of-concept showing the vault can be extracted by reading the browser process memory.
The researcher observed that Chrome and several other Chromium browsers decrypt individual passwords only when needed for autofill or when a user clicks “show password” and use protections such as app-bound encryption for keys. In the researcher’s tests, Edge placed the entire store in cleartext in its process memory from launch rather than decrypting entries on demand.
The proof-of-concept demonstrated that extracting credentials does not require a zero-day vulnerability or a complex exploit. It requires the ability to read the browser’s process memory, an action that normally requires elevated privileges or code execution on the device.
Microsoft described the behavior as “by design.” The company noted making passwords readily available in memory can speed sign-in and autofill and that reading another process’s memory generally requires a compromised machine or elevated access.
Security experts pointed out the issue is not a remote, unauthenticated vulnerability. They noted an attacker would typically need code execution on the device and the privilege to read Edge’s process memory to harvest passwords.
Those experts also noted that several information-stealing malware families already include capabilities to extract credentials from process memory, which can enable credential harvesting after an attacker gains a foothold on a machine.
Browsers typically store saved passwords encrypted on disk and tied to the user account and operating system protections. A 2024 academic study found some password managers can expose plaintext passwords in memory under certain conditions, highlighting that how secrets are handled in RAM affects security beyond encrypted disk storage.
The researcher described the behavior as a design choice that prioritizes immediate access to passwords in memory. Microsoft’s characterization leaves the practice in place; administrators and users will need to decide whether to rely on the built-in manager or use alternative password solutions and endpoint protections.
