An attacker who has administrative privileges can access Microsoft Edge user passwords—even when they aren’t actively being used—because the browser keeps them in cleartext within process memory as part of a design choice by Microsoft.
A newly disclosed cybersecurity finding has raised concerns among IT professionals and enterprise administrators after researchers revealed that Microsoft Edge loads all saved user passwords into plaintext process memory immediately upon launch—regardless of whether those credentials are ever used during the session.
The discovery, published on April 29 by Palo Alto Networks researchers in Norway and highlighted by the independent platform BigBiteOfTech, stems from a broader comparative analysis of Chromium-based browsers. The research was led by a security analyst operating under the alias “L1v1ng0ffTh3L4N,” who examined how different browsers handle credential storage and decryption in memory.
A Design Decision That Raises Security Questions
According to the findings, Edge stands apart from its competitors by decrypting the entire password vault at startup and retaining those credentials in cleartext within the browser’s active memory for the duration of the session.
This behavior contrasts sharply with Google Chrome, which uses a more restrictive model known as on-demand decryption. In Chrome, stored credentials are only decrypted when needed—such as during autofill or when a user explicitly chooses to view a password.
Chrome also employs an additional safeguard called App-Bound Encryption, which ties decryption keys to the authenticated browser process. This mechanism helps prevent unauthorized applications from reusing those keys to extract stored credentials.
Edge, by comparison, does not currently implement either of these protections. As a result, once the browser is opened, every saved username and password becomes accessible in plaintext to any process capable of reading its memory.
Illusion of Protection in User Interface
One of the more controversial aspects of the finding is the apparent contradiction between Edge’s internal behavior and its user-facing security controls.
While the browser’s password manager prompts users to re-authenticate—typically via system credentials or biometrics—before revealing stored passwords, researchers argue that this step offers only superficial protection.
In practice, the credentials are already decrypted and present in memory long before any such prompt appears. This means that the authentication barrier applies only to the graphical interface, not to the underlying data itself.
This creates what they describe as an “illusion of access control,” potentially misleading users into believing their stored passwords are more securely protected than they actually are.
Elevated Risk in Enterprise and Shared Systems
The implications become significantly more severe in enterprise environments, particularly those using shared infrastructure such as Remote Desktop Services (RDS) or virtual desktop systems.
In such setups, multiple users may be logged into the same machine simultaneously. If an attacker gains administrative privileges on that system, they can potentially access the memory of all active user sessions.
Researchers demonstrated this risk in a proof-of-concept scenario, where a compromised administrator account was used to extract credentials from multiple users—including those with inactive or disconnected sessions—simply by reading the memory of their running Edge processes.
This type of attack aligns with MITRE ATT&CK T1555.003, a known cybersecurity framework category describing credential extraction from browser storage.
In such environments, a single breach could escalate rapidly into a full-scale credential compromise, exposing login data across numerous accounts and services.
Microsoft Response: “By Design”
Following responsible disclosure, Microsoft reportedly responded that the observed behavior is intentional and falls within the browser’s design parameters.
Microsoft’s documentation acknowledges that credentials stored in memory may be accessible under certain local attack conditions. However, Microsoft classifies these scenarios as outside the browser’s primary threat model, which typically assumes that local system compromise already represents a critical security failure.
This stance has sparked debate within the cybersecurity community, with some experts arguing that modern threat models must increasingly account for post-compromise scenarios, especially in enterprise environments where lateral movement is a key attack strategy.
Industry Reaction and Mitigation Considerations
The disclosure has prompted renewed scrutiny of browser security practices, particularly in organizations that rely heavily on built-in password managers.
Security teams are now being advised to reassess their configurations, especially in environments involving:
- Terminal servers
- Virtual Desktop Infrastructure (VDI)
- Shared or multi-user systems
In these contexts, experts recommend considering alternative browsers that implement stricter credential handling mechanisms, such as on-demand decryption and process-bound encryption.
Additionally, organizations may explore layered security approaches, including:
- Endpoint detection and response (EDR) tools
- Privileged access management (PAM)
- Limiting administrative privileges
- Encouraging the use of dedicated password managers
Verification Tool Released
To support transparency and independent validation, the researcher released an educational tool alongside the disclosure. The utility allows users and administrators to test whether their own Edge sessions contain accessible plaintext credentials in memory.
While not intended for malicious use, the tool underscores how easily such data could be extracted under the right conditions.
Broader Implications
The findings highlight a growing tension in cybersecurity between usability and protection. Browser-integrated password managers offer convenience and seamless user experience, but their internal handling of sensitive data remains a critical point of scrutiny.
As organizations continue to operate in increasingly complex and shared computing environments, experts warn that assumptions about “trusted local systems” may no longer hold.
Whether Microsoft will revisit Edge’s current design remains unclear. For now, the disclosure serves as a reminder that even widely used software can harbor architectural decisions with far-reaching security implications.
