A security researcher has reported that Microsoft Edge decrypts every saved password into cleartext process memory immediately at startup—and keeps those credentials resident for the entire session, even if the user never visits the related websites. [ppc.land], [gbhackers.com]
What makes this stand out is that the researcher tested multiple Chromium-based browsers and found Edge was the only one showing this “decrypt everything at launch” behavior. [ppc.land], [dataconomy.com]
From a defender’s perspective, this transforms Edge into a high-value, always-on credential cache in RAM—the exact kind of target that memory-scraping malware and post-exploitation tooling loves. [gbhackers.com], [dataconomy.com]
What Was Disclosed (And When)
The disclosure was presented on April 29, 2026 at BigBiteOfTech by PaloAltoNtwks Norway, with an accompanying educational verification tool that allows users to validate whether their Edge process holds passwords in plaintext memory. [ppc.land], [dataconomy.com]
A proof-of-concept demonstration was also shared showing how an attacker who can read process memory can extract credentials while Edge is running. [gbhackers.com], [dataconomy.com]
Why This Matters: Cleartext Memory Is a Credential Goldmine
When passwords are present in cleartext inside a running process, any attacker who achieves the ability to read that process memory (for example, via admin rights, EDR bypass, or credential dumping tooling) can potentially harvest credentials at scale. [gbhackers.com], [dataconomy.com]
The risk is not limited to a single website login. The report indicates Edge loads the entire saved password vault into memory at launch, meaning a compromise can expose credentials for sites the user never accessed during that session. [ppc.land], [gbhackers.com]
Key takeaway: This expands the blast radius from “passwords you used today” to “every password you’ve ever saved in Edge.” [ppc.land], [dataconomy.com]
Edge vs Chrome: The Security Model Difference
The contrast with Google Chrome is significant:
- Chrome reportedly uses on-demand decryption, where credentials are decrypted only when needed (autofill or when a user explicitly views a password). [ppc.land], [gbhackers.com]
- Chrome also uses App-Bound Encryption, binding decryption keys to an authenticated Chrome process to make unauthorized key reuse harder. [ppc.land], [gbhackers.com]
- Edge, as reported, does not provide equivalent protections and holds all credentials in plaintext memory once launched. [ppc.land], [dataconomy.com]
“Security Theater” Concern: UI Re-Auth vs Memory Reality
One of the most controversial aspects is the mismatch between Edge UI behavior and runtime behavior. Edge may prompt users to re-authenticate (PIN/Windows login) before revealing passwords in the Password Manager UI—yet the same passwords may already exist in plaintext within the browser’s memory. [gbhackers.com], [dataconomy.com]
Key takeaway: The re-auth prompt can create the illusion of protection while not preventing memory-based credential extraction. [gbhackers.com], [dataconomy.com]
The Risk Explodes in RDS, Terminal Servers, and VDI
This design is especially dangerous in shared or multi-user Windows environments (Remote Desktop Services, terminal servers, VDI), where multiple user sessions may coexist on the same host.
In the reported proof-of-concept, an attacker with administrative rights was able to extract stored credentials from other logged-on users, including those with disconnected but active sessions, by reading their Edge process memory. [gbhackers.com], [dataconomy.com]
That means a single admin-level compromise can become a full credential harvest across many users on the same system—mapping cleanly to MITRE ATT&CK T1555.003 (Credentials from Web Browsers) as described in the disclosure coverage. [gbhackers.com], [dataconomy.com]
Microsoft’s Response: “By Design” and Threat Model Boundaries
When responsibly disclosed, Microsoft reportedly responded that the behavior is “by design.” [ppc.land], [gbhackers.com]
Microsoft’s Edge password manager documentation also frames local malware/physical attacks as outside the browser’s threat model, noting that if malware runs as the user, it can access decrypted data and do anything the user can do. [learn.microsoft.com]
Why this matters for enterprises: Many real-world breaches begin with local code execution, credential theft, or admin compromise. In those scenarios, “outside the threat model” can still mean “inside your risk model.” [learn.microsoft.com], [dataconomy.com]
Real-World Attack Scenarios Security Teams Should Consider
- Post-exploitation credential harvesting
- Attacker gains local admin or SYSTEM on a workstation/server.
- Reads Edge process memory and extracts all saved credentials.
- Uses them for lateral movement or cloud takeover. [gbhackers.com], [dataconomy.com]
- RDS / Terminal Server mass compromise
- One privileged compromise turns into credential access for multiple users on the same host.
- Includes disconnected sessions as long as Edge is running. [gbhackers.com], [dataconomy.com]
- Insider + process memory access
- A rogue admin (or admin account takeover) can potentially scrape memory from user processes.
- This accelerates “credential stuffing from inside” and privilege escalation chains. [dataconomy.com], [learn.microsoft.com]
Detection and Threat Hunting Ideas (Practical)
Even though this is a design choice rather than a CVE, you can still hunt the technique.
What to monitor:
- Process memory access attempts against
msedge.exe(especially from unusual binaries). [gbhackers.com], [dataconomy.com] - Suspicious use of OS utilities/APIs commonly used for dumping process memory (EDR telemetry will help here). [dataconomy.com], [learn.microsoft.com]
- RDS/VDI environments where one admin account suddenly enumerates or interacts with many user processes. [gbhackers.com], [dataconomy.com]
MITRE ATT&CK alignment (for reporting and playbooks):
- T1555.003 – Credentials from Web Browsers [gbhackers.com], [dataconomy.com]
Mitigations and Best Practices (User + Enterprise)
Immediate mitigations (high impact)
- Do not store high-value credentials in Edge’s built-in password manager on shared systems (RDS/VDI/terminal servers). [dataconomy.com], [ppc.land]
- Move privileged accounts (admin, break-glass, PAM, CI/CD, cloud) into a dedicated password manager with stronger controls and reduce browser-stored secrets. [dataconomy.com], [learn.microsoft.com]
- Reduce admin exposure (limit who can read other users’ processes, use JIT/JEA, tiered admin model), because admin memory access is the big multiplier here. [gbhackers.com], [learn.microsoft.com]
Enterprise hardening steps
- Use Application Control / WDAC to reduce unknown tooling that can dump memory.
- Strengthen EDR rules for process dump behavior, credential dumping, and suspicious handle access to browser processes.
- On shared hosts, consider browser standardization to a solution that supports on-demand decryption and stronger key-binding approaches (as highlighted in comparisons).
Risk-based guidance (simple)
- Workstation, single user: medium risk (still serious if malware lands).
- RDS/VDI/terminal server: high risk due to cross-session harvesting potential.
Common Misconceptions to Avoid
- “It’s fine because Edge asks for re-authentication to view passwords.”
Not sufficient if credentials are already in memory and can be extracted by memory-reading attackers. - “Only sophisticated attackers can do this.”
Any attacker who gets local privileged access can potentially leverage memory-scraping approaches; the PoC demonstrates feasibility. - “This is outside the threat model, so it’s not a real risk.”
Threat models don’t remove enterprise risk—especially where local compromise is a common initial foothold.
FAQs
What exactly was found in Microsoft Edge?
Edge reportedly decrypts all saved passwords into cleartext process memory at launch and keeps them there for the duration of the session.
Is this a vulnerability or a design choice?
Microsoft reportedly stated the behavior is “by design,” and its documentation discusses local attack scenarios as outside the browser threat model.
Why is this worse in RDS/terminal servers/VDI?
Because an attacker with admin rights can read memory from multiple users’ Edge processes, potentially harvesting credentials across sessions—including disconnected ones.
How is Chrome different?
Chrome reportedly uses on-demand decryption and App-Bound Encryption to reduce broad credential exposure and prevent key reuse by other processes.
What should enterprises do right now?
Treat this as a configuration and credential hygiene risk, especially on shared systems—limit browser-stored passwords, reduce admin exposure, and consider alternative browsing/credential strategies.
Conclusion
If the report is accurate, Microsoft Edge’s approach effectively turns the browser into an always-on cleartext credential reservoir in RAM as soon as it starts—creating a large, persistent target for attackers who can read process memory.
For most organizations, the practical risk is highest where:
- privileged users store credentials in Edge, and/or
- multi-user environments (RDS/VDI/terminal servers) amplify the impact of one compromise
