Microsoft Edge Loads Entire Password Vault in Plaintext Memory – Design Choice Raises Credential Harvesting Risk
What Happened – Independent research found that Microsoft Edge loads the full browser‑saved password vault into plaintext process memory at startup and keeps it there for the session. Other Chromium‑based browsers decrypt passwords only on demand.
Why It Matters for TPRM –
- Post‑compromise attackers with elevated privileges can harvest all saved credentials from a single memory read.
- The design reduces the effectiveness of endpoint hardening controls that assume passwords are encrypted at rest.
- Vendors that rely on Edge for single‑sign‑on (SSO) or internal tools inherit this exposure.
Who Is Affected – Enterprises using Microsoft Edge as a password manager across any industry; especially organizations that enforce browser‑based credential storage for SaaS applications.
Recommended Actions –
- Review internal policies on browser‑based password storage; consider disabling Edge password saving or autofill.
- Enforce multi‑factor authentication (MFA) for all privileged accounts.
- Deploy endpoint detection & response (EDR) solutions that monitor for suspicious memory‑read activity.
- Validate that critical applications support alternative credential stores (e.g., dedicated password managers).
Technical Notes – Edge loads the entire vault into RAM at launch, exposing plaintext passwords to any process with read access to Edge’s memory (requires elevated privileges). No CVE is associated; the behavior is “by design.” Attack vector is a privileged memory‑read, similar to techniques used by infostealers. Source: Malwarebytes Labs