Critical Plaintext Password Exposure in Microsoft Edge Affects Enterprise Browsers
What Happened — Researchers disclosed that Microsoft Edge was leaking saved passwords in plaintext to local files and, in some configurations, to remote endpoints via telemetry. The issue affects all recent Edge versions on Windows 10/11 and can be exploited without user interaction.
Why It Matters for TPRM —
- Plaintext credentials enable credential‑stuffing attacks against downstream SaaS services.
- Vendor‑managed browsers are a common third‑party component in corporate desktops; a breach expands the attack surface of any partner relying on Edge for secure access.
Who Is Affected — Enterprises using Microsoft Edge on Windows workstations; SaaS providers whose users authenticate via Edge‑stored credentials.
Recommended Actions — Immediately enforce password manager usage, disable Edge password saving via Group Policy, and apply the latest Edge security patch (released 2026‑05‑06).
Technical Notes — The flaw stems from a mis‑handled credential store API that writes decrypted passwords to %AppData%\Microsoft\Edge\User Data\Login Data and optionally forwards them to Microsoft telemetry endpoints. No CVE has been assigned yet; the issue is classified as a high‑severity local privilege exposure. Source: The Hacker News