Microsoft Edge Stores Passwords in Process Memory, Posing Risk TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskThreat IntelligenceApplication SecurityEndpoint SecurityNewsMicrosoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskA proof-of-concept exploit (PoC) shows how someone with admin privileges can exploit the issue to steal passwords, and thus use them to engage in further malicious activity.Elizabeth Montalbano,Contributing WriterMay 5, 20266 Min ReadSource: Designer491 via Alamy Stock PhotoUPDATEAn attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.The basic issue is that Microsoft Edge decrypts and stores all passwords that have been saved in the browser in process memory, "even if the person never visits the site that uses those credentials," Rønning, offensive security/internal penetration tester and technical team lead of proactive security at Norway's Statnett SF, wrote on X in one of a series of posts detailing the issue. He conducted the research about the issue in his own time and not in his role at the company, he noted.Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced OrganizationsThis sets up an extremely risky scenario, especially for shared corporate environments, he said, because an attacker who gains admin access on a terminal service "can access the memory of all logged‑on user processes," Rønning wrote.Exploiting a Microsoft Browser WeaknessSpeaking to Dark Reading by phone, Rønning explained how an attacker with administrative access can exploit the issue in an organization running a Windows environment by accessing process memory via Citrix, virtual desktop infrastructure (VDI), or a Windows terminal server. "Once you have that, you have access to all process memory. … If another user has stored their passwords in Edge, you can dump these credentials" and use them for myriad malicious activities, he tells Dark Reading."You can snowball into having more user credentials, and more and more permissions," Rønning says. An attacker can use these credentials stolen from the browser to move laterally, to impersonate other users, steal personal account data or even financial resources, and even conduct ransomware attacks, among other malicious activities, he explains.Edge Passwords: A False Sense of SecuritySomething that seems counter-intuitive about the issue is that for a user to access their saved passwords in Edge, they must type in a separate password, Rønning says. However, the cleartext storage issue in the browser basically can cancel this out if exploited, letting someone access all Edge passwords even when an Edge session itself isn't active on someone's machine, he notes.Related:Physical Cargo Theft Gets a Boost From Cybercriminals"Since you're an admin, you can start processes as the other user, so you can make Edge start [on a remote desktop]," Rønning says. "So if people have Edge running but aren't using it," their passwords still can be accessed.In fact, this gives people a false sense of security, Danwei Tran Luciani, chief product technology officer at application security vendor Detectify, tells Dark Reading via email."The main risk is that the product signals one level of protection while operating at another," she says. "In enterprise environments, where devices could be shared, sessions persist, and privileges vary, that mismatch increases the likelihood that a local breach turns into credential exposure." This scenario "effectively widens the blast radius: one foothold on an endpoint can translate into access across multiple accounts and systems," Luciani says.'By Design': A Feature, Not a Bug? Rønning said he reported the issue to Microsoft and informed them he would be sharing his PoC and findings. "The official response was that the behavior is 'by design,'" he wrote on X. Edge is based on the open source Chromium framework, which is also the basis for Google Chrome, Opera, Brave, and Vivaldi. Rønning says he tested Chrome and Brave, among other browsers, and says that Edge is the only browser based on the framework that behaves this way. In contrast, Chrome, for example, uses a design that makes it more difficult for attackers to extract saved passwords, he said in his findings.Related:Claude Mythos Fears Startle Japan's Financial Services Sector"It decrypts credentials only when needed, instead of keeping all passwords in memory at all times," he wrote on X. "App‑bound encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys."Because of these controls, Chrome, Brave, and other Chromium browsers using ABE only show plaintext passwords briefly during autofill or when the user views them, "making broad memory scraping far less effective," Rønning wrote.Microsoft's explanation for not using ABE and allowing the cleartext password storage is that "when you're talking about security boundaries, when you have administrator access, all bets are off," he explains.A Microsoft spokesperson says as much to Dark Reading via email, noting that access to browser data via the scenario Rønning described would require the device to already be compromised. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," the spokesperson says. "Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application."However, Rønning says that, in his experience, ABE makes it easier to detect malicious activity that is necessary to break this protection than you would in cases where it does not exist. "Also, what I found is that Edge loads all the passwords in memory even though you don't need them," which is "a strange design decision to make," he adds.How Orgs Can Defend Against Browser Security ProblemsThe most basic way for an organization running Windows and using Edge as a default browser — which Rønning says many corporate Windows environments do — is to set group policies to prevent Edge from storing passwords.For personal users who use Edge at home or on a corporate system without these group policies, his advice is "to not use Edge at all," as "this attack vector would probably not be easy to stop regardless."Luciani's advice to organizations, meanwhile, is to reduce reliance on the browser as a credential store in enterprise contexts. Instead, organizations should "use dedicated, managed password solutions with stronger access controls; limit local and admin privileges; and pay close attention to endpoint monitoring, especially for behaviors like memory scraping," she says"It also matters to think about where browsers are used: shared machines, [virtual] environments, and privileged sessions carry higher risk and should be treated accordingly," Luciani adds.This article was updated at 7:30 a.m. ET on May 6 to reflect a statement from Microsoft.Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Microsoft Edge’s password storage mechanism, as revealed by security researcher Tom Jøran Sønstebyseter Rønning, presents a significant enterprise risk. The issue centers on the browser’s design to decrypt and store all saved passwords in process memory, regardless of whether the user actively visits the associated website. This behavior, deemed “by design” by Microsoft, creates a vulnerability that an attacker with administrative privileges can exploit. Specifically, an administrator on a Windows environment utilizing Citrix, VDI, or a Windows terminal server can gain access to the memory of logged-on user processes, subsequently accessing and utilizing the stored Edge passwords. Rønning demonstrated this through a proof-of-concept tool, highlighting the potential for a cascading effect where stolen credentials can be leveraged to perform lateral movement, impersonate users, exfiltrate sensitive data, conduct ransomware attacks, or facilitate broader malicious activities.

The risk is particularly pronounced in shared corporate environments. The fact that Edge, unlike browsers like Chrome and Brave, stores passwords in this manner even when they are not actively in use introduces a false sense of security. The design decision, explained by Microsoft as a balance between performance, usability, and security, prioritizes convenience over stringent security measures. This preference, combined with the administrator’s ability to manipulate processes, creates a vulnerability that could be easily exploited. Danwei Tran Luciani, chief product technology officer at application security vendor Detectify, emphasized the mismatch between the presented security layer and the underlying functionality, stating that “the product signals one level of protection while operating at another.”

The fundamental issue is that Edge decrypts credentials only when needed, while Chrome, Brave, and other Chromium browsers utilize App-Bound Encryption (ABE) to restrict access to decrypted passwords and bind decryption to an authenticated Chrome process. This prevents other processes from reusing Chrome’s encryption keys, making broad memory scraping far less effective. Rønning’s research underscores this distinction, and highlights the potential consequences that may arise from a security system design that seemingly prioritizes user experience over robust control of sensitive data. Ultimately, the vulnerability highlights the importance of careful consideration of browser design choices within enterprise environments and the potential for exploitation when prioritizing convenience over security.