Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch

HomeCyber Security Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch By Guru Baran May 5, 2026 A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites. The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior. Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session. The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password. Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials. Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory. What makes this finding particularly contradictory is Edge’s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory. The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction. The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers. An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously. In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory. MICROSOFT EDGE LOADS ALL YOUR SAVED PASSWORDS INTO MEMORY IN CLEARTEXT — EVEN WHEN YOU’RE NOT USING THEM. PIC.TWITTER.COM/CI0ZLEYFLB — Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026 This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 — Credentials from Web Browsers. Microsoft Edge Passwords in Cleartext When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.” Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model. The April 29 disclosure at BigBiteOfTech included a small educational verification tool that allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior. Security teams managing Windows environments with Edge deployed those operating terminal servers, VDI environments, or any shared-access systems, particularly should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision. Free Webinar to align your endpoint security to meet new requirements – Register Now Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News WhatsApp Testing Own Cloud Backup Provider for Default End-to-End Encryption Cursor AI Coding Agent Vulnerability Allow Attackers to Execute Code on Developer’s Machine pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk New Fake CAPTCHA Campaign Uses SMS Pumping Fraud to Run Up Victims’ Phone Bills Attackers Weaponize SAP npm Packages to Steal GitHub, Cloud, and AI Coding Tool Secrets Latest News Cyber Security WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs Cyber Security News Instagram’s to End Encrypted Chats for Direct Messages Cyber Security News Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine Android Critical Android Zero-Click Vulnerability Grants Remote Shell Access Cyber Security News pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk