Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk

CYBER RISK THREAT INTELLIGENCE APPLICATION SECURITY ENDPOINT SECURITY NEWS Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk A proof-of-concept exploit (PoC) shows how someone with admin privileges can exploit the issue to steal passwords, and thus use them to engage in further malicious activity. Elizabeth Montalbano,Contributing Writer May 5, 2026 6 Min Read SOURCE: DESIGNER491 VIA ALAMY STOCK PHOTO UPDATE An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft. Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub. The basic issue is that Microsoft Edge decrypts and stores all passwords that have been saved in the browser in process memory, "even if the person never visits the site that uses those credentials," Rønning, offensive security/internal penetration tester and technical team lead of proactive security at Norway's Statnett SF, wrote on X in one of a series of posts detailing the issue. He conducted the research about the issue in his own time and not in his role at the company, he noted. Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations This sets up an extremely risky scenario, especially for shared corporate environments, he said, because an attacker who gains admin access on a terminal service "can access the memory of all logged‑on user processes," Rønning wrote. Exploiting a Microsoft Browser Weakness Speaking to Dark Reading by phone, Rønning explained how an attacker with administrative access can exploit the issue in an organization running a Windows environment by accessing process memory via Citrix, virtual desktop infrastructure (VDI), or a Windows terminal server.  "Once you have that, you have access to all process memory. … If another user has stored their passwords in Edge, you can dump these credentials" and use them for myriad malicious activities, he tells Dark Reading. "You can snowball into having more user credentials, and more and more permissions," Rønning says. An attacker can use these credentials stolen from the browser to move laterally, to impersonate other users, steal personal account data or even financial resources, and even conduct ransomware attacks, among other malicious activities, he explains. Edge Passwords: A False Sense of Security Something that seems counter-intuitive about the issue is that for a user to access their saved passwords in Edge, they must type in a separate password, Rønning says. However, the cleartext storage issue in the browser basically can cancel this out if exploited, letting someone access all Edge passwords even when an Edge session itself isn't active on someone's machine, he notes. Related:Physical Cargo Theft Gets a Boost From Cybercriminals "Since you're an admin, you can start processes as the other user, so you can make Edge start [on a remote desktop]," Rønning says. "So if people have Edge running but aren't using it," their passwords still can be accessed. In fact, this gives people a false sense of security, Danwei Tran Luciani, chief product technology officer at application security vendor Detectify, tells Dark Reading via email. "The main risk is that the product signals one level of protection while operating at another," she says. "In enterprise environments, where devices could be shared, sessions persist, and privileges vary, that mismatch increases the likelihood that a local breach turns into credential exposure."  This scenario "effectively widens the blast radius: one foothold on an endpoint can translate into access across multiple accounts and systems," Luciani says. 'By Design': A Feature, Not a Bug?  Rønning said he reported the issue to Microsoft and informed them he would be sharing his PoC and findings. "The official response was that the behavior is 'by design,'" he wrote on X.  Edge is based on the open source Chromium framework, which is also the basis for Google Chrome, Opera, Brave, and Vivaldi. Rønning says he tested Chrome and Brave, among other browsers, and says that Edge is the only browser based on the framework that behaves this way. In contrast, Chrome, for example, uses a design that makes it more difficult for attackers to extract saved passwords, he said in his findings. Related:Claude Mythos Fears Startle Japan's Financial Services Sector "It decrypts credentials only when needed, instead of keeping all passwords in memory at all times," he wrote on X. "App‑bound encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys." Because of these controls, Chrome, Brave, and other Chromium browsers using ABE only show plaintext passwords briefly during autofill or when the user views them, "making broad memory scraping far less effective," Rønning wrote. Microsoft's explanation for not using ABE and allowing the cleartext password storage is that "when you're talking about security boundaries, when you have administrator access, all bets are off," he explains. A Microsoft spokesperson says as much to Dark Reading via email, noting that access to browser data via the scenario Rønning described would require the device to already be compromised. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," the spokesperson says. "Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application." However, Rønning says that, in his experience, ABE makes it easier to detect malicious activity that is necessary to break this protection than you would in cases where it does not exist. "Also, what I found is that Edge loads all the passwords in memory even though you don't need them," which is "a strange design decision to make," he adds. How Orgs Can Defend Against Browser Security Problems The most basic way for an organization running Windows and using Edge as a default browser — which Rønning says many corporate Windows environments do — is to set group policies to prevent Edge from storing passwords. For personal users who use Edge at home or on a corporate system without these group policies, his advice is "to not use Edge at all," as "this attack vector would probably not be easy to stop regardless." Luciani's advice to organizations, meanwhile, is to reduce reliance on the browser as a credential store in enterprise contexts. Instead, organizations should "use dedicated, managed password solutions with stronger access controls; limit local and admin privileges; and pay close attention to endpoint monitoring, especially for behaviors like memory scraping," she says "It also matters to think about where browsers are used: shared machines, [virtual] environments, and privileged sessions carry higher risk and should be treated accordingly," Luciani adds. This article was updated at 7:30 a.m. ET on May 6 to reflect a statement from Microsoft. Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS