Skip to main content
CybersecurityVulnerability Management

Microsoft Alters Edge to Mitigate Password Exposure Risk

Laptop screen on a desk shows a blurred password manager page with a hand hovering over the keyboard.

"This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout," said Microsoft Edge Security Lead Gareth Evans.

Tom Jøran Sønstebyseter Rønning's May 4 disclosure

On May 4, security researcher Tom Jøran Sønstebyseter Rønning demonstrated that Edge's built‑in password manager decrypted all stored credentials at browser launch and kept them in process memory even when those credentials were not actively being used. Rønning released a proof‑of‑concept (PoC) tool showing an attacker with Administrator privileges could dump passwords from other users' Edge processes; without Administrator privileges the PoC could only access Edge processes launched by the same user. Rønning also reported the issue to Microsoft and said he was initially told the behavior was "by design" before he publicly disclosed his findings.

How Edge handled saved passwords in memory

The observable behavior Rønning described was that saved passwords were decrypted into cleartext and loaded into process memory at startup. According to Rønning, Edge was the only Chromium‑based browser he tested that behaved this way; by contrast, he said Chrome "uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory." Microsoft initially told BleepingComputer that "this is an expected feature of the application," placing the scenario inside its existing threat model.

Microsoft reverses stance and prioritizes a fix

After the public disclosure, Microsoft changed course. Gareth Evans said the company will no longer load saved passwords into memory on startup and framed the change as a "defense‑in‑depth" improvement tied to the Secure Future Initiative and customer feedback. Microsoft said the change will be applied across all supported Edge channels — Stable, Beta, Dev, Canary, and the Extended Stable channel used by enterprise customers — and that the rollout is being prioritized. The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases, identified as build 148 and newer.

Exploitability and the existing threat model

Microsoft maintained that the originally reported scenario fell within its existing threat model, which excludes attacks in which an adversary already has administrative control of a device. Rønning's PoC underscored that distinction: an attacker with Administrator privileges could dump passwords from other users' Edge processes, while a non‑privileged attacker could only access processes launched by the same user. Microsoft's characterization and Rønning's tool together map a specific chain: the presence of administrative access materially increases what an attacker can extract from process memory under the original design.

What this means for security teams, enterprises, and end users

  • Technologists and security teams: Expect an update window tied to Edge build 148 and newer and plan verification steps — the fix is already available in Canary but will be applied to Stable, Beta, Dev and Extended Stable channels. Teams that rely on the Extended Stable channel should watch that channel's rollout cadence closely because Microsoft named it explicitly.
  • Affected enterprises and procurement leaders: The change was framed as defense‑in‑depth and will reach the Extended Stable channel used by enterprise customers; organizations still operating under the previous threat model should note Microsoft’s decision to reduce exposure even when a scenario falls inside the defined model.
  • End users and the general public: The behavioural change means saved passwords will no longer be decrypted into memory at startup in upcoming Edge builds, and users will see the fix first in Canary before it appears in broadly supported releases (build 148 and newer).

Microsoft's reversal — from calling the behavior "expected" to prioritizing a cross‑channel rollout — is a concrete example of a vendor choosing to tighten exposure beyond its formal threat model. The Canary release already contains the change, and build 148 and newer are slated to receive it; beyond that, verification by defenders and enterprise rollouts will determine how broadly and quickly the reduced exposure takes effect.

Original story