Decrypted and Vulnerable: Why Microsoft Edge Keeps All Your Passwords in Plaintext Memory

Security researcher Tom has identified a significant architectural flaw within Microsoft Edge. His investigation reveals that upon initialization, the browser loads all stored account credentials into the system memory in plaintext format, irrespective of whether these credentials are being actively utilized for authentication.

Specifically, the parent process of Microsoft Edge perpetually retains these decrypted credentials. Consequently, an adversary possessing elevated system privileges could exfiltrate this sensitive data directly from the process. While this vector does not facilitate a direct remote exploit, it provides a viable mechanism for actors to harvest a user’s entire repository of saved passwords.

In typical security discourse, such an oversight would be categorized as a design vulnerability; thus, the researcher responsibly disclosed his findings to Microsoft. However, the corporation has classified this behavior as a deliberate design choice, asserting that it does not constitute a vulnerability. As a result, Microsoft declined to issue a bug bounty.

The researcher has since publicly disseminated both the details of the flaw and a proof-of-concept tool to demonstrate how Microsoft Edge handles stored credentials. He maintains that this architecture is a profound security deficiency, particularly as peer browsers do not exhibit analogous behaviors. A comparative analysis of Google Chrome indicates that it does not reside plaintext credentials in memory, while Brave—also predicated on the Chromium engine—decrypts data only upon user demand for autofill, thereby mitigating this specific attack vector.

Who is most susceptible to this exploit? In environments where multiple user profiles reside on Windows 10 or 11, an account with administrative privileges could potentially leverage this design to exfiltrate credentials belonging to other users from the Microsoft Edge process. Therefore, for those utilizing shared workstations, it is highly advisable to sign out of one’s account immediately upon concluding a session.