// #microsoft-edge
2 articles
Microsoft Reverses Course on Edge Plaintext Password Exposure — Update Will Prevent Loading Saved Passwords into Process Memory
Following disclosure on 11 May that Microsoft Edge loads saved passwords as plaintext into process memory at startup, Microsoft confirmed it will release a patch preventing password data from being loaded into memory outside of active use contexts. The fix addresses the specific vulnerability class that allows process memory dumpers to extract Edge-saved credentials without user interaction.
Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch
Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.