CybersecurityVulnerability Management

Microsoft Edge Exposes Saved Passwords in Cleartext

Analyst 207||Source: SecurityMag
Laptop screen displays blurred password field in shared workspace near window.

“The risk of keeping the passwords in cleartext in memory becomes evident in shared environments,” Tom Jøran Sønstebyseter Rønning wrote after disclosing his research.

What Rønning found and how he disclosed it

Security researcher Tom Jøran Sønstebyseter Rønning discovered that Microsoft Edge decrypts saved credentials at browser startup and stores those credentials in process memory in plaintext, even when the stored passwords are not being used by the currently visited website. Rønning disclosed the behavior on Apr. 29 at Palo Alto Networks Norway’s BIG Bite of Tech conference and then published details on LinkedIn and GitHub.

How Microsoft Edge behaves, according to the report

Rønning’s report states that when a user saves passwords in Microsoft Edge, the browser decrypts each credential at startup and keeps them in the browser process’s memory. The browser will still prompt users to re-authenticate before revealing passwords in the Password Manager UI, even though those same passwords already reside unencrypted in process memory. When Rønning reported the behavior to Microsoft, he was told it was “by design.”

Risk scenarios and technical pathways for abuse

Morey Haber, Chief Security Advisor at BeyondTrust, framed the behavior as a departure from long-standing expectations for secret handling. “The digital trust created by a password was never intended to be electronically immortal artifacts living in memory of a device,” Haber said. He argued that passwords should be “transient secrets: entered, validated, tokenized, and discarded from process memory,” and that retaining them in cleartext converts them from an authentication mechanism into “a liability.”

Haber enumerated the ways process memory can be exposed: “Debuggers, crash dumps, memory scrapers, malware, privileged insiders, endpoint agents, and even legitimate administration tools can all interact with memory under the right conditions.” He warned that if a password exists in cleartext within memory, it is “no longer protected by encryption or hashing.”

From a post-exploitation perspective, Haber described concrete attack paths enabled by exposed credentials: credential dumping from memory can facilitate “privilege escalation, lateral movement, persistence, and unauthorized remote access across the environment.” He cautioned that in privileged environments a single exposed credential “can become the foundation for a ransomware infestation or a full-scale identity takeover,” and that multiple available passwords can lead to a “game over event.”

What this means for security teams, procurement leaders, and end users

  • Security teams and technologists: Expect an immediate need to reassess threat models for environments where Edge is used on shared terminals or where attackers may obtain administrative access. Haber recommended moving toward ephemeral authentication mechanisms where possible — “tokenization, certificate-based authentication, hardware backed credentials, or just in time access workflows” — to reduce the risk posed by plaintext memory residues.
  • Procurement leaders and enterprise IT: When evaluating browsers and endpoint software, procurement and IT teams should consider questions about credential handling at process startup and the implications for shared or privileged systems. The behavior is described as “by design,” which makes it a policy and procurement decision as much as a security configuration issue.
  • End users and administrators of shared systems: Users should be aware that Edge’s Password Manager UI re-authentication prompt does not guarantee that stored passwords are absent from memory — the browser may already have decrypted and retained them. Administrators of terminal servers and other shared environments should note Rønning’s explicit warning that an attacker with administrative access could “access the memory of all logged‑on user processes.”

Disclosure, reactions, and the remaining question for Microsoft

Rønning went public with his findings at a conference and on social platforms and code hosting, and Microsoft characterized the behavior as intentional. BeyondTrust’s Morey Haber described that intentional choice as a step away from “secure application design” and from principles such as least privilege and zero trust. The facts on record are clear: saved Edge passwords are decrypted at startup and held in cleartext in process memory; Microsoft reported the behavior as “by design”; security experts warn this expands the attack surface in shared and privileged contexts.

The concrete question left by those facts is now for organizations and for Microsoft: does a design that retains decrypted credentials in process memory align with the risk profiles of environments where Edge runs, especially shared or high‑privilege systems? The answer will determine whether enterprises change deployments and whether Microsoft revisits the design choice.

Original reporting: https://www.securitymagazine.com/articles/102294-research-microsoft-edge-loads-stored-passwords-in-cleartext

Browser SecurityEmerging ThreatsVulnerability DisclosureMicrosoft EdgePassword ExposureCleartext Storage
Related Intelligence

Continue Reading

Developer workstation with laptop and terminal window, surrounded by notes and coffee cups, in a busy software development…

Tool Exposes Stale AI Overrides in JavaScript Ecosystem

Discover how a simple oversight in your JavaScript ecosystem can leave you vulnerable to security threats, and learn how the CVE Lite CLI tool can help you identify and fix stale AI overrides. This free, OWASP-endorsed dependency scanner provides actionable vulnerability fixes and keeps your projects secure.

Analyst 207
Laptop on a neutral surface surrounded by cybersecurity and coding items in a bright lab setting.

OpenAI Bolsters Cybersecurity Push with GPT-5.5-Cyber Update

OpenAI just unveiled its latest game-changer: GPT-5.5-Cyber, a powerhouse model that supercharges vulnerability detection and patching, while retaining its impressive general-purpose intelligence. This cutting-edge update is part of a broader push to revolutionize software security.

Analyst 207
Person working on laptop with blurred screen in a bright, minimalist space.

Cloudflare Unveils Protocol to Distinguish Legitimate Web Traffic

Cloudflare is shaking up the way we verify online traffic with a new protocol that helps websites distinguish between legitimate users and AI-powered bots. Meet PACTs, a game-changing solution that lets sites share anonymous tokens, essentially a private, shareable CAPTCHA test result.

Analyst 207
Video decoding workstation with code on laptop screen and video editing software.

FFmpeg Patch Disrupts PixelSmash Flaw in Video Decoder

Security researchers at JFrog have uncovered a high-severity flaw, CVE-2026-8461, in FFmpeg's MagicYUV decoder that can be exploited by malicious video files, posing a risk to any application using the library. This vulnerability, scoring 8.8, can be triggered by specially crafted AVI, MKV, or MOV files.

Analyst 207