Microsoft Edge Stores Saved Passwords in Plaintext RAM – Design Feature Raises Credential Exposure Risk
What Happened – Security researcher Tom Jøran Sønstebyseter Rønning demonstrated that Microsoft Edge keeps every saved password decrypted in the browser’s process memory (RAM) whenever the password manager is enabled. Microsoft confirmed the behavior, stating it is an intentional design choice meant to improve sign‑in speed.
Why It Matters for TPRM –
- Credential data can be harvested by any malware that gains administrative access to a workstation, bypassing encryption protections.
- Organizations that mandate Edge as the corporate password manager expose employees’ login secrets to a broader attack surface.
- The issue is not a vulnerability in Edge itself but a risk‑by‑design that must be accounted for in third‑party and endpoint security assessments.
Who Is Affected – All industries that allow or require employees to use Microsoft Edge for password storage, especially those with high‑value credentials (finance, healthcare, SaaS, government).
Recommended Actions –
- Review internal policies on approved password managers; consider alternatives that encrypt credentials in memory.
- Ensure endpoint protection (EDR) is deployed and that privileged‑access controls limit admin rights on user workstations.
- Apply the latest Windows and Edge security updates; enforce device‑level encryption and secure boot.
Technical Notes – Edge decrypts stored credentials at startup and retains them in cleartext within the browser process memory. An attacker with administrative rights can dump the process memory to retrieve passwords. No CVE is associated; the behavior is documented by Microsoft as a feature. Source: ZDNet Security