A cybersecurity researcher has highlighted a significant security vulnerability in Microsoft Edge, revealing that the browser loads all saved passwords into memory in plain text upon startup. This behavior occurs regardless of whether the user intends to use the password manager during that session, potentially exposing credentials to attackers who have gained administrative access to the device.
The Vulnerability: Plain Text in Memory
Tom Jøran Sønstebyseter Rønning, a cybersecurity researcher, detailed the issue on X (formerly Twitter). He discovered that Microsoft Edge decrypts every stored password and holds it in the computer’s memory as soon as the browser launches.
This stands in stark contrast to other Chromium-based browsers, such as Google Chrome. Rønning noted that Chrome uses a different architectural design that makes it significantly harder for attackers to extract saved passwords simply by reading process memory.
“Edge is the only Chromium‑based browser I’ve tested that behaves this way,” Rønning stated.
The risk is particularly acute in shared or managed environments. As Rønning explained, if an attacker gains administrative access on a terminal server, they can access the memory of all logged-on user processes, effectively harvesting passwords without needing to bypass encryption keys stored on the disk.
Microsoft’s Response: It’s “By Design”
When contacted about these findings, Microsoft defended the browser’s architecture. A spokesperson told Mashable that the behavior is an expected feature intended to balance performance, usability, and security.
“Safety and security are foundational to Microsoft Edge,” the spokesperson said. “Access to browser data as described in the reported scenario would require the device to already be compromised… Browsers access password data in memory to help users sign in quickly and securely.”
Microsoft emphasized that this design choice facilitates quick and secure logins for users. However, they acknowledged that this convenience comes with trade-offs, recommending that users keep their security updates and antivirus software up to date to mitigate risks.
Industry Standards vs. Implementation
The revelation has sparked debate regarding cybersecurity best practices. The German tech publication Heise Online successfully replicated the issue and pointed out that established security protocols generally dictate that passwords should only be decrypted at the time of use and removed from memory immediately afterward.
By keeping all passwords decrypted in memory throughout the session, Edge deviates from this principle. While Microsoft argues that this enhances user experience by ensuring passwords are ready for immediate use, security experts argue that it unnecessarily increases the attack surface if the device is compromised.
What This Means for Users
This incident raises important questions about how tech giants balance convenience with security. While having passwords readily available is convenient, storing them in plain text in memory creates a single point of failure if the operating system or browser is breached.
For users concerned about this specific vulnerability, experts suggest two main courses of action:
– Use a dedicated password manager: Third-party password managers often offer more granular control over how and when credentials are decrypted and stored in memory.
– Ensure robust device security: Since the vulnerability requires administrative access to exploit, keeping the operating system and antivirus software updated is critical to preventing the initial compromise.
In summary, while Microsoft maintains that Edge’s password handling is a deliberate design choice for performance, the practice of storing all passwords in plain text in memory remains a notable deviation from stricter security standards, urging users to remain vigilant about device integrity.
