HomeIntelligenceBrief
BREACH BRIEF🟡 Medium Advisory

Microsoft Edge Stores Saved Passwords in Plaintext RAM – Design Feature Raises Credential Exposure Risk

A security researcher revealed that Microsoft Edge retains all saved passwords in cleartext within its process memory. Microsoft confirms this is an intentional design choice, meaning any malware with admin rights can harvest credentials. TPRM teams must reassess Edge as a corporate password manager.

LiveThreat™ Intelligence · 📅 May 07, 2026· 📰 zdnet.com
🟡
Severity
Medium
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
zdnet.com

Microsoft Edge Stores Saved Passwords in Plaintext RAM – Design Feature Raises Credential Exposure Risk

What Happened – Security researcher Tom Jøran Sønstebyseter Rønning demonstrated that Microsoft Edge keeps every saved password decrypted in the browser’s process memory (RAM) whenever the password manager is enabled. Microsoft confirmed the behavior, stating it is an intentional design choice meant to improve sign‑in speed.

Why It Matters for TPRM

  • Credential data can be harvested by any malware that gains administrative access to a workstation, bypassing encryption protections.
  • Organizations that mandate Edge as the corporate password manager expose employees’ login secrets to a broader attack surface.
  • The issue is not a vulnerability in Edge itself but a risk‑by‑design that must be accounted for in third‑party and endpoint security assessments.

Who Is Affected – All industries that allow or require employees to use Microsoft Edge for password storage, especially those with high‑value credentials (finance, healthcare, SaaS, government).

Recommended Actions

  • Review internal policies on approved password managers; consider alternatives that encrypt credentials in memory.
  • Ensure endpoint protection (EDR) is deployed and that privileged‑access controls limit admin rights on user workstations.
  • Apply the latest Windows and Edge security updates; enforce device‑level encryption and secure boot.

Technical Notes – Edge decrypts stored credentials at startup and retains them in cleartext within the browser process memory. An attacker with administrative rights can dump the process memory to retrieve passwords. No CVE is associated; the behavior is documented by Microsoft as a feature. Source: ZDNet Security

📰 Original Source
https://www.zdnet.com/article/microsoft-edge-passwords-ram-plaintext/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →