🏛️ Architecture

Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch

Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.

4 min read
#microsoft-edge#password-manager#credential-security#memory-security#process-dump#browser-security#design-flaw

Security researchers have published evidence that Microsoft Edge’s built-in password manager decrypts and holds saved user passwords in cleartext (unencrypted) within the browser’s process memory during an active browsing session. Any process on the same operating system with the ability to access Edge’s process memory — either through legitimate Windows debugging APIs with appropriate permissions, or through a credential stealer running at the same privilege level — can extract the decrypted passwords.

Microsoft has acknowledged the behaviour in response to researcher disclosure, characterising it as an intentional performance optimisation: decrypting passwords at session start and holding them in memory avoids repeated encryption/decryption operations as autofill operates across multiple sites during a session. Microsoft has not committed to a timeline for changing this behaviour and the issue has not been assigned a CVE.

Technical Context

Windows browsers that save passwords face a design choice: when to decrypt and for how long to hold the decrypted credential in memory. The security-sensitive options are:

  1. Decrypt on demand: Decrypt each password only at the moment of autofill, then immediately zero out the memory — minimising the window in which the plaintext is in memory
  2. Decrypt at session start: Decrypt all saved passwords when the browser starts and hold them in memory for the session duration — simplifying access and improving performance at the cost of a persistent plaintext exposure window

Chrome (Google’s browser) uses a similar in-memory storage model. The difference identified in Edge’s case is that Edge’s implementation is reported to make the decrypted passwords more accessible via standard process memory inspection — Chrome’s implementation makes the data more difficult to locate within the process heap without specific knowledge of memory layout.

Firefox uses a different model: saved passwords encrypted with a master password (when configured) are decrypted on demand, held briefly, and zeroed — providing a materially different security property.

Who Is at Risk

The practical exploit scenario requires:

  • A process running on the same machine as Edge, with the ability to read Edge’s process memory (either through the OpenProcess API with PROCESS_VM_READ rights, or through a debugging API)
  • The user to be logged into Edge with saved passwords active

Credential stealer malware is the primary threat: any infostealer running on a compromised Windows endpoint (Redline, Raccoon, Vidar, and similar common infostealers) that can access Edge’s process memory can extract decrypted passwords without needing to crack DPAPI-encrypted credential database files. This is simpler than offline DPAPI decryption and requires fewer privileges.

Post-exploitation access: An attacker who has achieved code execution on a victim’s system at the same privilege level as Edge (i.e., as the logged-in user) can extract all Edge-saved passwords by reading process memory — providing immediate credential access without needing to attack Edge’s encrypted storage files.

Mitigation and Recommendations

Use a dedicated password manager: Dedicated password managers (Bitwarden, 1Password, Dashlane) are designed with credential-in-memory security as a primary engineering concern. They decrypt passwords on demand, zero memory after use, and are architecturally distinct from browsers that hold credentials for autofill convenience.

Enable Windows Credential Guard: On corporate Windows devices, Windows Credential Guard restricts the processes that can access sensitive credential material — though this primarily protects NTLM and Kerberos credentials rather than browser-stored passwords.

Endpoint protection with memory scanning: EDR products with memory scanning capabilities detect infostealer access to browser process memory. This is a compensating control rather than a fix, but it provides detection capability.

For enterprise policy: If your organisation mandates browser-based password storage, review which browser’s implementation best matches your security requirements. Microsoft’s Group Policy and Intune can restrict browser password manager use and redirect employees to approved dedicated password managers.

Microsoft’s characterisation of this as a performance decision rather than a vulnerability reflects a trade-off between usability and security that the company has determined is acceptable. Users and security teams should evaluate whether that trade-off is acceptable for their own threat models — and configure accordingly.

Share this article