Microsoft Edge keeps all saved passwords exposed in plaintext RAM, and the company says that's working as intended.
Norwegian security researcher Tom Jøran Sønstebyseter Rønning discovered the issue and published his findings on May 4. The browser decrypts every stored credential at startup, even when the user never visits a site that requires those credentials during the session.
"Edge is the only Chromium-based browser I've tested that behaves this way," Rønning said. "By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory." The vulnerability is straightforward: any attacker with local access to a machine can dump its process memory and read every saved credential in cleartext. The authentication gate for viewing them in the manager offers no protection, since the data is already sitting unencrypted in RAM.
Industry best practice dictates passwords "should only be decrypted at the time of use and deleted from memory very shortly thereafter." The company has not publicly explained what benefit this design provides. He plans to release a tool on GitHub that lets users check whether their stored credentials are exposed. For anyone relying on the browser's built-in manager, the fix was suggested as early as May 4: migrate to a dedicated password manager and delete all stored credentials.
