Edge Browser Stores All Passwords in Plaintext Memory

A cybersecurity researcher has published a proof-of-concept tool exposing a significant security weakness in Microsoft Edge: the browser loads all saved passwords in plaintext directly into system memory, making them potentially accessible to any process with memory-reading capabilities. Microsoft has acknowledged the behavior but says it is 'by design,' sparking concern among security professionals and everyday users alike.

The researcher, operating under the name Tom Jøran Sønstebyseter Rønning, shared the findings across social platforms including X (formerly Twitter), complete with a full demonstration showing how trivially the passwords can be extracted.

Key Takeaways

• Microsoft Edge stores all saved passwords in cleartext in the browser's process memory
• A proof-of-concept extraction tool has been publicly released
• Microsoft has confirmed this is intentional behavior, not a bug
• The vulnerability affects any user who saves passwords in Edge's built-in password manager
• Attackers with local access or memory-reading malware could harvest every stored credential at once
• The issue reignites debate over browser-based password managers versus dedicated third-party solutions

Researcher Demonstrates Full Password Extraction

The proof-of-concept tool developed by Rønning demonstrates a straightforward attack scenario. Once Edge is running and the user is logged in, every password the browser has saved becomes available in the application's memory space — not encrypted, not obfuscated, but in raw plaintext.

This means that any malicious software running on the same machine with sufficient privileges could scan Edge's memory and extract the full list of stored credentials. The demonstration showed usernames, passwords, and associated URLs all readable in a single pass.

What makes this particularly alarming is the scale of exposure. Unlike a phishing attack that targets one credential at a time, this approach yields every saved password simultaneously. For users who rely on Edge's built-in password manager — and Microsoft has aggressively promoted this feature — the risk surface is enormous.

Microsoft Says This Is 'By Design'

Perhaps the most controversial aspect of this disclosure is Microsoft's response. When confronted with the findings, the company reportedly stated that the behavior is 'by design.' In other words, Microsoft does not consider this a vulnerability worthy of a patch or fix.

Microsoft's reasoning likely centers on a common security assumption: if an attacker already has the ability to read another process's memory, the machine is already considered compromised. This is a well-known stance in the security community, sometimes referred to as the 'assumed breach' model at the local privilege level.

However, critics argue this position ignores practical threat scenarios. Malware that reads process memory is extremely common. Infostealers — a category of malware specifically designed to harvest credentials, cookies, and session tokens from browsers — represent one of the fastest-growing threat categories in 2024 and 2025. Security firms like CrowdStrike, Recorded Future, and Group-IB have all documented sharp increases in infostealer campaigns targeting browser-stored data.

How This Compares to Other Browsers

Edge is built on the Chromium open-source engine, the same foundation that powers Google Chrome, Brave, Opera, and Vivaldi. This raises an immediate question: do other Chromium-based browsers exhibit the same behavior?

The answer is nuanced. Chrome and other Chromium browsers also handle decrypted credentials in memory at certain points — for example, when autofilling a login form. However, the specific concern with Edge appears to center on the scope and duration of plaintext exposure:

• Google Chrome decrypts passwords on demand when autofill is triggered
• Microsoft Edge reportedly loads all saved passwords into memory in cleartext, not just the one being actively used
• Firefox uses a different architecture entirely and offers an optional primary password feature that encrypts the credential store with a user-chosen passphrase
• Brave and Vivaldi inherit Chromium's behavior but have not been specifically tested with this proof-of-concept tool

The distinction matters. Loading every credential into memory simultaneously creates a far larger window of opportunity for extraction compared to decrypting a single password at the moment of use.

Why Browser Password Managers Face Growing Scrutiny

This incident arrives at a time when browser-based password management is under increasing scrutiny from the cybersecurity community. While browser password managers offer undeniable convenience — they are free, built-in, and require zero additional software — they were never designed with the same threat model as dedicated password management solutions.

Dedicated password managers like 1Password, Bitwarden, Dashlane, and KeePass employ several additional layers of protection:

• Zero-knowledge architecture: The master password never leaves the local device in decrypted form
• Memory protection: Credentials are decrypted only briefly and memory is actively scrubbed after use
• Process isolation: Password vaults run in separate, hardened processes
• Clipboard clearing: Copied passwords are automatically removed from the clipboard after a set time
• Encrypted database files: Even at rest, the vault file is encrypted with AES-256 or similar algorithms

By contrast, browser password managers must balance security with the seamless autofill experience users expect. This often means credentials exist in decrypted form in memory for extended periods.

The rise of infostealers like RedLine, Raccoon, Vidar, and Lumma has made this trade-off increasingly dangerous. These malware families specifically target browser credential stores and are sold as Malware-as-a-Service (MaaS) on underground forums for as little as $100 to $200 per month, dramatically lowering the barrier to entry for cybercriminals.

The Infostealer Epidemic Adds Urgency

The timing of this disclosure coincides with what security researchers are calling an infostealer epidemic. According to data from IBM X-Force's 2025 Threat Intelligence Index, infostealer-related incidents rose by over 80% year-over-year. SpyCloud reported that in 2024, more than 3.2 billion credentials were harvested by infostealers globally.

These tools operate with surgical precision. A typical infostealer infection lasts only seconds to minutes, during which the malware:

1. Scans browser process memory for decrypted credentials
2. Extracts saved passwords from local database files
3. Harvests session cookies for services like Google, Microsoft 365, and banking portals
4. Captures cryptocurrency wallet data
5. Exfiltrates everything to a command-and-control server

With Edge loading all passwords in plaintext memory, step 1 becomes trivially easy. The attacker does not even need to decrypt local database files — the credentials are already waiting in cleartext.

What Users Should Do Right Now

While Microsoft may not view this as a vulnerability, users can take immediate steps to reduce their exposure:

• Migrate to a dedicated password manager like 1Password or Bitwarden, which offer stronger memory protection
• Disable Edge's built-in password saving by navigating to Settings > Passwords and toggling off the 'Offer to save passwords' option
• Enable multi-factor authentication (MFA) on every account that supports it — even if a password is stolen, MFA provides a critical second barrier
• Keep your operating system and browser updated to minimize the risk of malware gaining the initial foothold needed to read process memory
• Use endpoint detection and response (EDR) software that can identify and block infostealer activity in real time
• Consider Windows Credential Guard on enterprise systems, which uses virtualization-based security to isolate credential processes

Looking Ahead: Will Microsoft Change Course?

Microsoft's 'by design' stance puts the company in an uncomfortable position. As Edge continues to gain market share — it currently holds approximately 13% of the global desktop browser market according to StatCounter — the number of users affected by this design choice grows proportionally.

The broader industry trend is moving toward passkeys and passwordless authentication, technologies that Microsoft itself is actively promoting through Windows Hello and FIDO2 support. In a passwordless future, this particular vulnerability becomes less relevant. But that future is still years away for most users and organizations.

In the meantime, the security community will likely continue pressuring Microsoft to implement basic memory protections — such as encrypting credentials in memory and decrypting them only at the moment of use, or scrubbing memory regions after autofill operations complete.

The disclosure also raises broader questions about the security responsibilities of platform vendors. When a company bundles a password manager into a product used by over 1 billion people and actively encourages its use, the security bar should arguably be higher than 'if the machine is compromised, everything is compromised anyway.'

For now, the proof-of-concept tool remains publicly available, serving as both a warning and a call to action. Whether Microsoft ultimately reconsiders its design philosophy — or whether users simply vote with their feet by switching to dedicated password managers — remains to be seen.