loader image
Server room: hands over keyboard; left monitor shows Microsoft Edge, right monitor exposes plaintext usernames/passwords.
Microsoft Edge Keeps Saved Passwords in Cleartext

Microsoft Edge exposes a major security flaw, decrypting all saved passwords into cleartext memory each time the browser launches. This discovery, unveiled by PaloAltoNtwks Norway’s researcher @L1v1ng0ffTh3L4N, reveals a significant oversight in Edge’s password handling. Unlike Google Chrome, which decrypts credentials only as needed, Microsoft Edge loads the entire vault into plaintext memory at startup, making it accessible to attacks.

This behavior undermines Edge’s password management interface, where users are prompted for re-authentication despite the availability of cleartext credentials to anyone with process memory access. The threat amplifies in environments like Remote Desktop Services, enabling administrators to harvest credentials from multiple users. Upon responsible disclosure, Microsoft noted it’s “by design,” citing its threat model limitation.

Security teams are advised to consider browsers with stronger encryption practices. For more details on the implications of this vulnerability, read the full article here:

Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch

Write a Reply or Comment

Your email address will not be published. Required fields are marked *