Security News Microsoft Edge permanently keeps all saved passwords in memory as plaintext

[ForgottenSeer 116559]

Content source

https://x.com/IntCyberDigest/status/2051406295828250963

International Cyber Digest on X:

Microsoft Edge keeps every saved password in process memory as cleartext from the moment it launches. Microsoft's responsed when reported: "by design."

All of them. Including credentials for sites you won't open this session.

Researcher @L1v1ng0ffTh3L4N tested every major Chromium browser. Edge is the only one that behaves this way.

Chrome decrypts credentials on demand, and App-Bound Encryption locks the keys to an authenticated Chrome process so other processes can't reuse them.

In Chrome, plaintext surfaces only during autofill or when a password is viewed, making memory scraping far less useful.

What makes this extra weird is that Edge still demands re-authentication before revealing those passwords in its Password Manager UI, while the same browser process already holds every one of them in plaintext.

In shared environments, this turns into a credential harvest. On a terminal server, an attacker with admin rights can read the memory of every logged-on user process. In the published PoC video, a compromised admin account lifts stored credentials from two other logged-on (and even disconnected) users with Edge running.

Microsoft's official response when notified: "by design."

The finding was disclosed April 29 at BigBiteOfTech by PaloAltoNtwks Norway, alongside a small educational tool that lets anyone verify the cleartext storage for themselves.

Originally shared with a video in this X post by Tom Jøran Sønstebyseter Rønning.

 

[Wrecker4923]

International Cyber Digest on X:

What makes this extra weird is that Edge still demands re-authentication before revealing those passwords in its Password Manager UI

Haha. That's app access control that induces a false sense of security.

For third‑party password managers without an elevated component, unlocked vault memory scraping is pretty much fair game to other processes running as the same user.

 

[The_King]

According to Gemini

How Passwords Enter the Dump File​

When a program crashes, the OS performs a "memory dump" to help developers debug the cause. Depending on the type of dump configured, the level of exposure varies:

• Mini Dumps: These are small and usually only contain the stack trace and loaded modules. Passwords are less likely to be here, but still possible if they were being actively processed by a specific thread.
• Full User-Mode Dumps: These capture the entire address space of the process (e.g., msedge.exe). In Edge’s case, this would include the decrypted password strings sitting in the heap.
• Complete Kernel Dumps: If the entire Windows OS crashes (Blue Screen of Death), a "Complete Memory Dump" saves everything in physical RAM to MEMORY.DMP. This would capture the memory of every running application, including those cleartext passwords.

The Forensic Trail​

Once a dump file is created, those passwords are no longer "volatile." They are now persistent data stored on your disk.

1. Persistence: Unlike RAM, which clears when the power is cut, a .dmp file sits in your C:\Windows\Minidump or %LOCALAPPDATA% folder indefinitely until deleted.
2. Accessibility: Any user with administrative rights (or physical access to the drive) can open these files with tools like WinDbg or even a simple Hex Editor. An attacker can simply search for common strings or patterns associated with the password manager's structure to extract the credentials.
3. Error Reporting: If you have "Send diagnostic data" or "Error Reporting" enabled and a crash occurs, there is a technical (though statistically low) risk of that dump file—and the secrets within it—being uploaded to a vendor's servers for analysis.

 

[Zero Knowledge]

Ahhh so this explains the annoying recent & frequent BSOD I've had. They are trying to get my data including passwords from EDGE and also piss me off in the process.

Now it makes sense

 

[Wrecker4923]

According to Gemini

We’re getting into the dark side of using a password manager . To mitigate this, users are encouraged to use encrypted drives. For Windows Pro users, you can also EFS the directory "C:\Users\*\AppData\Local\CrashDumps". Encrypted drives resist people who don’t have access to your machine; EFS helps against people who do.

 

[Parkinsond]

Is it specific for Edge or it's all chromium-based browsers?

 

[Sampei.Nihira]

Is it specific for Edge or it's all chromium-based browsers?

.........tested every major Chromium browser. Edge is the only one that behaves this way.

 

[Parkinsond]

Good decision to move to Chrome.

 

[Parkinsond]

Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design."

www.bleepingcomputer.com

 

[annaegorov]

But using edge with third party PW Manager like Roboform is ok, or still a risk using edge, even if edge is not saving password, because Roboform is doing that.?

 

[lokamoka820]

Generally speaking, using a third-party password manager such as RoboForm with Microsoft Edge is safe as long as you turn off Edge's integrated password manager to prevent any security issues.

 

[Wrecker4923]

third party PW Manager like Roboform

I can't say for sure about RoboForm, but I can about Bitwarden and similar implementations. It's better to keep your password manager locked as much as possible (set the automatic lock timeout as short as tolerable) and use the strongest lock protections. Bitwarden now supports FIDO2 keys (PRF-capable) for unlocking, along with configurable alpha-numeric PIN and biometrics, which store some data in better-protected memory. KeePassXC supports security key challenge‑response unlock, and KeePass obfuscates memory (non‑cryptographically) while unlocked.