When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.
At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.
Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.
It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.
Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.
If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on
(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is “by design”. They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions
about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway
Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.
Do other browsers do this too?
Firefox has master password concept since ages. Though the default behaviour is to store it in plain text.
Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.
It decrypts credentials only when needed,
From the article abstract in the OP
Not really the same, but unless a user has set a Primary / Master Password someone can copy and paste Firefox’s profile data (e.g from Windows Appdata) to another machine or user account and have access to all the saved passwords. If the user was signed in with a Mozilla account, it even maintains that login session.
It’s been this way for over 10 years, easy target if the disk is unencrypted or a scam artist has coerced someone into the ‘remote control’ phase of their scam.
I think that used to work for Chrome as well, but I think it didn’t work last time I tried.
If you don’t set up the password lock for the password manager in the browser then there are tools to retrieve the passwords
Not remotely accessible, though. Would need root access.
It would only need malicious javascript to be loaded in a separate tab, and a memory disclosure or memory protection bypass exploit. These types of exploits come along from time to time:
https://en.wikipedia.org/wiki/Row_hammer#Exploits
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)#Remote_exploitation
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#Impact
Holy shit that’s actually insane, fml i thought edge was okay to use at work (we have Microsoft 365 enteprise)
OOPS! Lookie here, saving passwords for autofill is a NO NO! Blue teams pay close attention! There’s/ no choice now but to pay for Microsoft Entra ID for all your applications! We will control all that you see and hear. Resistance is futile!
Feels like that’s the actual plan, leak everyone’s passwords and then charge money for a “secure passkey manager”
I thought all browsers do this. …because they kind of have to
