Microsoft Edge stores all saved passwords in cleartext in process memory as a deliberate design decision, even when those credentials are not actively in use. A security researcher published a proof-of-concept tool demonstrating how an attacker with admin privileges can dump these credentials from process memory — including via Citrix, VDI, or Windows terminal servers — enabling lateral movement, impersonation, and ransomware attacks. Microsoft acknowledged the behavior as 'by design,' citing that admin access removes security boundaries. In contrast, Chrome and other Chromium-based browsers use app-bound encryption (ABE) that decrypts credentials only when needed. Mitigations include setting group policies to prevent Edge from storing passwords, using dedicated password managers, limiting admin privileges, and monitoring for memory-scraping behaviors.
Table of contents
Exploiting a Microsoft Browser WeaknessEdge Passwords: A False Sense of Security'By Design': A Feature, Not a Bug?How Orgs Can Defend Against Browser Security ProblemsSort: