Microsoft Edge Stores Passwords In Plaintext In RAM

Source: Slashdot

Findings

Security researcher Tom Joran Sonstebyseter Ronning discovered that Microsoft Edge stores passwords in plaintext in RAM. After creating a password and saving it with Edge’s password manager, Ronning was able to dump the system memory and retrieve the password in clear text.

Key points of the issue:

• Edge loads all saved passwords into memory during a single verification check, even when the user is not visiting a specific site.
• This behavior differs from Chrome, which only loads passwords for the relevant website when prompted and clears them from memory after they have been filled.
• Edge does not delete passwords from memory after use, leaving them exposed for the duration of the session.

Microsoft’s Response

Microsoft downplayed the risk, stating that accessing browser data in the described manner would require the device to already be compromised:

“Access to browser data as described in the reported scenario would require the device to already be compromised,” Microsoft said.

Ronning countered that an attacker with administrative privileges could dump passwords for multiple logged‑on users, not just the privileged account.

Microsoft’s official comment:

“Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”