Microsoft Edge Password Vulnerability: Plaintext Credentials Exposed in Memory

The digital security landscape shifted under the feet of millions of Windows users this week as a foundational architectural choice in the world’s second-most popular browser was laid bare. At the Big Bite of Tech 26 event in Oslo, security researcher Tom Jøran Sønstebyseter Rønning demonstrated a startling reality: the Microsoft Edge password vulnerability is not a mere oversight or a buggy line of code, but a deliberate design decision that leaves every saved credential on a machine exposed in plaintext within system memory. While competitors have moved toward sophisticated process-level encryption, Microsoft’s flagship browser continues to prioritize performance and legacy compatibility over modern “defense-in-depth” protocols.

The Anatomy of the Microsoft Edge Password Vulnerability

To understand the severity of this discovery, one must look at how modern browsers handle “secrets” during runtime. For years, the industry standard for on-disk security has been the Data Protection API (DPAPI) in Windows. This ensures that while your browser is closed, your passwords are encrypted and tied to your specific user profile. However, once a browser is launched, it must eventually decrypt those passwords to fulfill its role as a password manager. This is where the Microsoft Edge password vulnerability manifests.

According to Rønning’s research, Microsoft Edge performs a “bulk decryption” of the entire saved credential database (the Login Data SQLite file) immediately upon application launch. These credentials—usernames, passwords, and associated URLs—are then stored as plaintext strings within the browser’s parent process memory. Crucially, this happens even if the user never visits the websites in question during that session. The passwords sit in the RAM, unencrypted and static, for the duration of the browser’s execution.

Runtime Exposure vs. At-Rest Encryption

The core of the controversy lies in the distinction between encryption at rest and protection during runtime. Microsoft has long argued that their on-disk encryption is robust. Yet, Rønning’s demonstration proved that runtime protection is virtually non-existent in Edge. By utilizing a simple memory-scanning technique, any process with sufficient privileges can “scrape” the RAM and extract every single password a user has ever saved in Edge. This architectural choice stands in stark contrast to the evolution of the underlying Chromium engine upon which Edge is built.

Chrome’s App-Bound Encryption: The Performance vs. Security Divide

The discovery is particularly jarring because Google Chrome—the progenitor of the Chromium project—implemented a solution to this exact problem in late 2024. Known as App-Bound Encryption (ABE), this feature binds the encryption keys to the specific identity of the browser process. In Chrome, passwords are only decrypted on a just-in-time (JIT) basis—meaning a password is only converted to plaintext the moment it is needed for an autofill action or when a user explicitly requests to “view” it in the settings.

The technical differences between the two browsers are significant:

• Decryption Trigger: Chrome decrypts credentials individually on-demand; Edge decrypts the entire vault at startup.
• Process Isolation: Chrome uses ABE to ensure that even if another program is running as the same user, it cannot easily use Chrome’s own keys to decrypt the password database.
• Memory Persistence: In Chrome, plaintext secrets are transient and wiped from memory shortly after use. In Edge, they persist in the parent process indefinitely.

Rønning noted that in his testing of various Chromium-based browsers, including Brave and Opera, Edge was the only major player that still followed this “all-at-once” plaintext memory loading pattern. This has led security professionals to question why Microsoft chose to deviate from the safer defaults increasingly adopted by the Chromium community.

EdgeSavedPasswordsDumper: The Proof of Concept

To silence skeptics, Rønning released a proof-of-concept (PoC) tool on GitHub named EdgeSavedPasswordsDumper. This utility, written in C#, serves as a stark reminder of how accessible this data is to anyone with administrative or SYSTEM-level privileges. The tool does not rely on complex exploits or zero-day vulnerabilities; it simply identifies the Edge parent process, scans its memory space for known patterns associated with the browser’s internal credential structures, and outputs the results in an easy-to-read format.

The technical capabilities of the dumper include:

• Extraction of usernames, passwords, and URLs from active Edge processes.
• The ability to target the specific parent process (identifiable via command-line arguments in Task Manager).
• Bypassing the need for the user to be actively browsing or even interacting with the browser.

While Microsoft maintains that an attacker needs administrative rights to perform such a memory dump, the reality of the modern threat landscape is that infostealing malware frequently seeks exactly these privileges. Once a device is even partially compromised, the presence of plaintext credentials in memory allows for a “smash-and-grab” attack that is much faster and more reliable than traditional methods of cracking the DPAPI-protected database on disk.

The Enterprise Nightmare: VDI, Citrix, and Terminal Servers

While the risk to individual home users is significant, the Microsoft Edge password vulnerability presents a catastrophic risk profile for enterprise environments. In shared computing infrastructures—such as Virtual Desktop Infrastructure (VDI), Citrix, or Windows Terminal Servers—multiple user sessions often run on a single underlying hardware instance or operating system kernel.

In these environments, a single compromised administrative account can be used to “pivot” and dump the memory of every logged-in user on the server. Because Edge pre-loads the passwords for all active sessions into their respective processes, an attacker can harvest thousands of credentials from hundreds of different users simultaneously. This effectively turns a single point of failure into a total organizational compromise. As Morey Haber, Chief Security Advisor at BeyondTrust, noted, passwords should be “transient secrets” that disappear the moment they are no longer needed. In the context of a terminal server, Edge’s design makes these secrets permanent residents of the system’s RAM.

Microsoft’s Response: “By Design” and the Philosophy of Security Boundaries

Microsoft’s official stance on the matter has been divisive. The company has classified this behavior not as a bug to be patched, but as a deliberate design choice. A Microsoft spokesperson stated that the current implementation is intended to “balance browser performance with security.” Their primary argument is rooted in the Ten Immutable Laws of Security, specifically Law #6: “A computer is only as secure as the administrator is trustworthy.”

In Microsoft’s view, if an attacker has the ability to read system memory or possesses administrative privileges, the system is already “game over.” Therefore, they argue, adding layers like App-Bound Encryption or just-in-time decryption offers a false sense of security while potentially slowing down the browser’s startup time and autofill responsiveness. However, this “all-or-nothing” approach to security has been heavily criticized by the wider cybersecurity community.

The Industry Backlash: Critiquing “Performance over Protection”

Cybersecurity leaders from top-tier firms have not minced words in their critique of Microsoft’s “by design” defense. Craig Lurey, CTO and co-founder of Keeper Security, pointed out that while Windows attempts to isolate applications, the reality is that non-elevated programs can often find ways to “pillage” the memory of other processes running in the same user context. The existence of plaintext passwords in memory provides a low-hanging fruit that modern software should have phased out years ago.

BeyondTrust experts further argued that this design choice ignores the concept of Defense-in-Depth. Even if a machine is compromised, a well-designed application should make it as difficult as possible for the attacker to extract sensitive data. By leaving passwords in plaintext, Microsoft is essentially “waving the white flag” once the initial perimeter is breached, rather than forcing the attacker to navigate further hurdles.

Strategies for Mitigation and Migration

Given Microsoft’s current refusal to alter this behavior, the burden of protection has shifted to IT administrators and end-users. Security professionals are now issuing a series of urgent recommendations to mitigate the risks associated with the Microsoft Edge password vulnerability.

1. Migrate to Dedicated Password Managers: The most effective solution is to stop using the browser’s built-in password management system entirely. Standalone managers like Keeper, Bitwarden, or 1Password utilize zero-knowledge encryption and ensure that data is never stored in a decrypted, plaintext state within the system’s general memory pool during runtime.
2. Implement Kernel-Level Protections: Tools such as Keeper Forcefield or advanced Endpoint Detection and Response (EDR) suites can monitor for unauthorized process memory access, potentially blocking tools like EdgeSavedPasswordsDumper even if the attacker has administrative rights.
3. Disable Password Saving via GPO: For enterprise environments, administrators should use Group Policy Objects (GPO) to disable the “Offer to save passwords” feature in Microsoft Edge across the domain.
4. Enforce Strict Session Management: In VDI and Citrix environments, ensure that disconnected sessions are terminated quickly to clear the associated process memory from the server’s RAM.

Conclusion: The Future of Browser Trust

The revelation of the Microsoft Edge password vulnerability serves as a critical case study in the ongoing tension between user convenience and robust security. While Microsoft prioritizes a fast, seamless experience for its users, the cost of that speed is a widened attack surface that modern infostealers are all too eager to exploit. As browsers become the primary portal through which we access both personal and corporate lives, the expectation of “secure by design” is no longer optional—it is a requirement.

For now, the message from the security community is clear: a browser is a window to the web, not a safe for your secrets. Until Microsoft aligns Edge with the more rigorous memory-handling standards of its peers, the most prudent course of action is to treat browser-based password storage as a significant liability. In the age of sophisticated memory-scraping malware, plaintext is a relic that we can no longer afford to tolerate.