Microsoft Edge decrypts every saved password and dumps them into plaintext memory the instant it launches. No site visit required. No autofill triggered. Just raw credentials, sitting exposed for the entire session. A Norwegian cybersecurity researcher, Tom Jøran Sønstebyseter Rønning, uncovered this behavior last week, sparking outrage across security circles. He tested major Chromium-based browsers. Edge stood alone.
Rønning detailed his findings in a now-viral X post, including a proof-of-concept video. Launch Edge. Fire up a memory scanner like Process Hacker. There they are: usernames, passwords, all in cleartext. “Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them,” he wrote. [X post by @L1v1ng0ffTh3L4N].
He reported it to Microsoft first. Their reply? “By design.” No fix planned. Rønning pushed back. Edge still demands your Windows credentials to view passwords in the settings UI—yet the browser process already holds them unencrypted. Irony piles on.
This isn’t theoretical. On terminal servers or shared corporate machines, an admin-level compromise turns Edge into a credential goldmine. Attackers read memory from any logged-on user’s process. Even disconnected sessions. Rønning’s demo shows a rogue admin extracting passwords from two other users’ Edge instances. No exploits needed. Just access.
Why Edge Behaves Differently
Chromium roots explain some quirks, but not this one. Google Chrome decrypts on demand—only during autofill or manual reveal. App-Bound Encryption ties keys to the authenticated process, blocking reuse by outsiders. Plaintext vanishes fast. Brave follows suit. Edge? It loads the full vault upfront. Persists it. Rønning confirmed: “Edge is the only Chromium-based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.” [Mashable].
German outlet Heise Online replicated the issue. They echoed best practices: decrypt at use. Wipe from memory soon after. Edge ignores that. Microsoft’s docs claim passwords stay encrypted on disk via AES, with keys in OS-protected storage. [Microsoft Learn]. Fair enough—for files. Memory tells another story.
Shared environments amplify the blast radius. Think remote desktop sessions, Citrix, or Azure Virtual Desktop. One breached admin account harvests dozens. Security teams scanning X lit up Monday. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged-on user processes,” Rønning noted. [Heise Online]. Posts from @IntCyberDigest and @BrianRoemmele racked up thousands of views, urging switches to dedicated managers like Bitwarden or 1Password.
Users trust browsers with bank logins, email, corporate VPNs. Edge ships default on Windows. Billions affected. Mashable reached out to Microsoft. No further comment as of Tuesday. Rønning disclosed at Palo Alto Networks Norway’s BigBiteOfTech on April 29, releasing a verification tool. Security pros grabbed it fast.
But. Disk encryption holds. Casual drive theft stays blocked. The threat lives in runtime: malware with debug privileges, extensions gone rogue, insiders. Tools like Mimikatz already hunt process memory. Edge hands them the keys.
Expect enterprise fallout. IT admins eye policies banning browser storage. Group Policy can disable autofill, force external managers. Momentum builds on X—calls to ditch Edge entirely. Chrome fans point fingers. Fair play? Chromium’s open, yet Microsoft customized this path.
Rønning’s work spotlights broader tensions. Browsers balloon into everything-apps: passwords, payments, profiles. Convenience clashes with isolation principles. Edge’s choice prioritizes speed over segmentation. Fine for solo desktops. Disaster in multi-user setups.
No patch announced. Users: export credentials now. Switch browsers. Or live with “by design.” In high-stakes environments, that’s no option. The vault stays open.
WebProNews is an iEntry Publication