Microsoft confirmed on 15 May that it will modify Microsoft Edge’s credential management behaviour to prevent saved passwords from being loaded as plaintext into process memory at startup, addressing the vulnerability class disclosed on 11 May by security researchers. The original disclosure demonstrated that Edge loads all saved passwords in decrypted form into memory when the browser starts, regardless of whether any saved credentials are actively being used — making them recoverable by any process with memory read access to the Edge process.
The Original Issue
The disclosure revealed that Microsoft Edge’s password manager, when a user has saved credentials, decrypts and loads the entire password vault into the Edge main process memory at startup. Unlike other credential managers that decrypt individual credentials only at the moment of use, Edge’s implementation created a persistent plaintext representation accessible to:
- Any process with
SeDebugPrivilege(local administrator or SYSTEM) - Process injection attacks that gain code execution within the Edge process
- Memory dump tools such as ProcDump run against the Edge process
Notably, the original disclosure received no CVE assignment from Microsoft, who characterised the behaviour as a design choice rather than a vulnerability. Security researchers and credential management specialists pushed back on this classification, arguing that loading entire password databases as plaintext into recoverable memory regions contradicts the fundamental purpose of encrypted credential storage.
What Microsoft Will Change
Microsoft confirmed the following behavioural changes in an upcoming Edge security update:
- Passwords will remain encrypted in memory until the specific moment they are needed for an autofill or login operation
- The decryption key will not persist in process memory after use
- The password vault will not be decrypted at browser startup — only on demand
This aligns Edge’s credential handling more closely with the approach taken by 1Password, Bitwarden, and other dedicated password managers, which explicitly design against “memory disclosure” attack scenarios.
Why This Matters
This issue is distinct from the question of whether Edge’s saved passwords are secure at rest. The underlying encryption using Windows DPAPI (Data Protection API) is sound — the concern is specifically about the in-memory representation during an active browser session. In post-exploitation scenarios, where an attacker has some code execution capability on the target system, the ability to dump Edge process memory and recover plaintext credentials for every account the user has saved represents significant credential harvesting capability.
The fix significantly raises the bar for in-memory credential extraction while the browser is running — credential theft would require catching the decryption operation in the narrow window during an actual autofill event.
Recommended Actions
- Apply the Edge update when available: Monitor Microsoft Edge release notes for the security update containing this behavioural change. Ensure Edge auto-update is enabled in your organisation.
- Interim guidance: Until the fix is deployed, users with administrative access to their own machines (or with shared machines) should be aware that Edge-saved passwords are recoverable by any local admin process. Consider using a dedicated password manager (1Password, Bitwarden, Keeper) in high-risk environments rather than the browser-built-in credential store.
- Enterprise password policy: Review whether browser-based password managers are approved in your organisation’s credential management policy. The Edge fix addresses the specific memory disclosure issue, but browser credential stores remain a common target in post-exploitation phases.
Share this article