Microsoft Edge automatically loads all saved passwords into browser memory in plaintext at startup, a behavior researchers say could make credential theft significantly easier on compromised systems.
Tom Jøran Sønstebyseter Rønning's Edge finding
Researcher Tom Jøran Sønstebyseter Rønning discovered that Microsoft Edge preloads the entire saved-password store into process memory when the browser starts and keeps those cleartext passwords in memory for the duration of the session. Rønning contrasted Edge's approach with other Chromium-based browsers such as Google Chrome and Brave, which—according to his findings—decrypt credentials only when users actively request autofill or view passwords.
Rønning published a tool, EdgeSavedPasswordsDumper, on GitHub to allow users and defenders to verify whether Edge passwords are present in plaintext memory.
Security experts: local access and shared infrastructure raise risk
"Windows does not prevent a non-elevated program from reading the memory of another program running under the same user context," Craig Lurey, CTO and co-founder of Keeper Security, told ISMG. Lurey highlighted that consequence: sensitive data kept in memory by applications can be targeted by local malware.
Morey Haber, chief security advisor at BeyondTrust, told ISMG that passwords are "meant to be transient secrets" and that retaining them in cleartext memory "stops being an authentication mechanism and becomes a liability regardless of who has access to a system." The risk is heightened in enterprise deployments that use shared infrastructure—Citrix servers, virtual desktop infrastructure and remote desktop systems—where an attacker with administrative access on a terminal server can read the memory of every user process on the machine.
Microsoft's response and practical proof-of-concept
Microsoft characterized the behavior as "by design" and told Rønning that exploitation would require an attacker to already have administrative access to the device. That framing prompted security researchers to stress the difference between requiring local privilege to read memory and the security consequences of storing cleartext credentials in process memory.
Rønning's published tool gives administrators and security teams a way to confirm whether the issue affects their installations and to measure exposure without relying solely on vendor statements.
Other incidents this week: distributed DDoS, rail radio hack, and exploited Ivanti zero-day
Separately, bot-defense firm DataDome reported a massive distributed denial-of-service campaign that sent 2.45 billion requests over five hours to a user-generated content platform. The April attack peaked at more than 205,000 requests per second and averaged roughly 136,000 requests per second. Attackers avoided per-IP rate limits by distributing traffic across more than 1.2 million IP addresses so that "no single IP ever trips a per-source limit," the researchers said.
In Taiwan, police arrested a 23-year-old university student accused of using software-defined radio and handheld radios to interfere with the TETRA radio communications system for Taiwan High Speed Rail, allegedly triggering emergency braking on four trains and halting services for 48 minutes on April 5. Authorities said the suspect intercepted and decoded radio parameters and that the THSRC radio system had operated for nearly two decades without meaningful parameter rotation.
Ivanti warned that hackers have exploited CVE-2026-6973, an improper input flaw in Ivanti Endpoint Manager Mobile, and said a "very limited number of customers" have been hacked through the vulnerability. Ivanti noted successful exploitation requires admin access and said customers who rotated credentials after February mitigations face significantly less exposure. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-6973 to its catalog of known exploited vulnerabilities.
Espionage, extortion and law enforcement outcomes reported
Cisco Talos reported a China-linked actor tracked as UAT-8302 targeting governments in South America and Southeastern Europe with a rotating set of malware—NetDraft, CloudSorcerer, Snowlight, VShell and others—aimed at long-term access and credential theft. Talos observed the use of loaders, proxy tools and credential-extraction utilities and said the group appears to exploit internet-facing applications to gain initial access.
In legal developments, the Department of Justice announced a Latvian negotiator for a Russian-affiliated ransomware organization was sentenced to more than eight years for conspiracy to commit wire fraud and money laundering tied to extortion of victims that included a pediatric healthcare technology provider. Separately, two U.S. nationals received federal prison sentences after running a "laptop farm" that facilitated North Korean IT workers obtaining remote jobs at more than 100 American companies using stolen identities.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Use Rønning's EdgeSavedPasswordsDumper to check memory exposure, review shared-infrastructure configurations (Citrix/VDI/remote desktop), and factor design defaults into risk assessments—particularly where processes run under shared user contexts.
- Procurement and enterprise IT leaders: Re-evaluate vendor default behaviors and demand clarity about secret lifecycle management from browser and appliance vendors; note that Ivanti emphasized credential rotation reduced exposure for customers who followed its February guidance.
- End users and administrators: Be aware that stored passwords may not be as transient as intended in some browsers; follow vendor guidance on credential rotation and limit administrative access on shared systems where possible.
The week's incidents—plaintext credentials in Edge memory, a novel, highly distributed DDoS, radio-spectrum interference of a national rail system, and an Ivanti zero-day linked to real intrusions—underscore attackers' preference for techniques that exploit design decisions and operational weaknesses. Microsoft calls the Edge behavior "by design" and notes administrative access would be required for exploitation; whether that design choice will change remains a live question for customers and defenders.
