{"id":12618,"date":"2026-05-05T10:03:42","date_gmt":"2026-05-05T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/05\/microsoft-edge-stores-all-saved-passwords-in-cleartext-process-memory-at-launch\/"},"modified":"2026-05-05T10:03:42","modified_gmt":"2026-05-05T10:03:42","slug":"microsoft-edge-stores-all-saved-passwords-in-cleartext-process-memory-at-launch","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/05\/microsoft-edge-stores-all-saved-passwords-in-cleartext-process-memory-at-launch\/","title":{"rendered":"Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch"},"content":{"rendered":"

Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites.<\/p>\n

The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior.<\/p>\n

Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.<\/p>\n

The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password.<\/p>\n

Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials.<\/p>\n

Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user\u2019s vault sits in plaintext in the browser\u2019s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.<\/p>\n

What makes this finding particularly contradictory is Edge\u2019s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory.<\/p>\n

The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction.<\/p>\n

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS)<\/a> or terminal servers.<\/p>\n

An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.<\/p>\n

In a published proof-of-concept<\/a> video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory.<\/p>\n

\n
\n
\n
\n

Microsoft Edge loads all your saved passwords into memory in cleartext \u2014 even when you\u2019re not using them. pic.twitter.com\/ci0ZLEYFLB<\/a><\/p>\n

\u2014 Tom J\u00f8ran S\u00f8nstebyseter R\u00f8nning (@L1v1ng0ffTh3L4N) May 4, 2026<\/a>\n<\/p><\/blockquote>\n