Loading...
Loading...
Researchers found Microsoft Edge keeps all saved passwords in plaintext in process memory, even for unused accounts. The issue affects the browser’s credential management and means malware or a local attacker with memory access can harvest credentials without triggering typical protections. The findings highlight broader concerns about in-memory encryption, secure handling of autofill data, and the risk posed by credential exposure in modern browsers. Users should consider using dedicated password managers, enable OS-level protections, and apply principle-of-least-privilege until Microsoft issues a fix or mitigation guidance.
Microsoft confirmed that its Edge browser stores users' saved passwords decrypted in system memory, a change introduced with a sync redesign. Security researchers warn this means all plaintext credentials can be present in RAM, potentially exposing them to malware or anyone with memory access. Microsoft says the design is intentional for performance and that access is limited to processes with appropriate permissions, framing it as low risk. The debate matters because browsers increasingly act as password managers and any in-memory plaintext storage widens the attack surface for credential theft, affecting enterprise security and user trust. Researchers urge scrutiny and defensive measures like OS-level protections and credential vaulting.
Microsoft Edge stores all passwords in memory in clear text, even when unused
Microsoft Edge stores all passwords in memory in clear text, even when unused
Microsoft Edge stores all passwords in memory in clear text, even when unused