An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they’re not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.
Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway’s BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.
The basic issue is that Microsoft Edge decrypts and stores all passwords that have been saved in the browser in process memory, “even if the person never visits the site that uses those credentials,” Rønning, offensive security/internal penetration tester and technical team lead of proactive security at Norway’s Statnett SF, wrote on X in one of a series of posts detailing the issue. He conducted the research about the issue in his own time and not in his role at the company, he noted.
This sets up an extremely risky scenario, especially for shared corporate environments, he said, because an attacker who gains admin access on a terminal service “can access the memory of all logged‑on user processes,” Rønning wrote.
Microsoft did not immediately respond to a Dark Reading request for comment.
Exploiting a Microsoft Browser Weakness
Speaking to Dark Reading by phone, Rønning explained how an attacker with administrative access can exploit the issue in an organization running a Windows environment by accessing process memory via Citrix, virtual desktop infrastructure (VDI), or a Windows terminal server.
“Once you have that, you have access to all process memory. … If another user has stored their passwords in Edge, you can dump these credentials” and use them for myriad malicious activities, he tells Dark Reading.
“You can snowball into having more user credentials, and more and more permissions,” Rønning says. An attacker can use these credentials stolen from the browser to move laterally, to impersonate other users, steal personal account data or even financial resources, and even conduct ransomware attacks, among other malicious activities, he explains.
Edge Passwords: A False Sense of Security
Something that seems counter-intuitive about the issue is that for a user to access their saved passwords in Edge, they must type in a separate password, Rønning says. However, the cleartext storage issue in the browser basically can cancel this out if exploited, letting someone access all Edge passwords even when an Edge session itself isn’t active on someone’s machine, he notes.
“Since you’re an admin, you can start processes as the other user, so you can make Edge start [on a remote desktop],” Rønning says. “So if people have Edge running but aren’t using it,” their passwords still can be accessed.
In fact, this gives people a false sense of security, Danwei Tran Luciani, chief product technology officer at application security vendor Detectify, tells Dark Reading via email.
“The main risk is that the product signals one level of protection while operating at another,” he says. “In enterprise environments, where devices could be shared, sessions persist, and privileges vary, that mismatch increases the likelihood that a local breach turns into credential exposure.”
This scenario “effectively widens the blast radius: one foothold on an endpoint can translate into access across multiple accounts and systems,” Luciani says.
‘By Design’: A Feature, Not a Bug?
Rønning said he reported the issue to Microsoft and informed them he would be sharing his PoC and findings. “The official response was that the behavior is ‘by design,'” he wrote on X. Microsoft did not immediately respond to Dark Reading’s request for comment on this issue or whether the company plans to change Edge’s design.
Edge is based on the open source Chromium framework, which is also the basis for Google Chrome, Opera, Brave, and Vivaldi. Rønning says he tested Chrome and Brave, among other browsers, and says that Edge is the only browser based on the framework that behaves this way. In contrast, Chrome, for example, uses a design that makes it more difficult for attackers to extract saved passwords, he said in his findings.
“It decrypts credentials only when needed, instead of keeping all passwords in memory at all times,” he wrote on X. “App‑bound encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.”
Because of these controls, Chrome, Brave, and other Chromium browsers using ABE only show plaintext passwords briefly during autofill or when the user views them, “making broad memory scraping far less effective,” Rønning wrote.
Microsoft’s explanation for not using ABE and allowing the cleartext password storage is that “when you’re talking about security boundaries, when you have administrator access, all bets are off,” he explains.
However, Rønning says that, in his experience, ABE makes it easier to detect malicious activity that is necessary to break this protection than you would in cases where it does not exist. “Also, what I found is that Edge loads all the passwords in memory even though you don’t need them,” which is “a strange design decision to make,” he adds.
How Orgs Can Defend Against Browser Security Problems
The most basic way for an organization running Windows and using Edge as a default browser — which Rønning says many corporate Windows environments do — is to set group policies to prevent Edge from storing passwords.
For personal users who use Edge at home or on a corporate system without these group policies, his advice is “to not use Edge at all,” as “this attack vector would probably not be easy to stop regardless.”
Luciani’s advice to organizations, meanwhile, is to reduce reliance on the browser as a credential store in enterprise contexts. Instead, organizations should “use dedicated, managed password solutions with stronger access controls; limit local and admin privileges; and pay close attention to endpoint monitoring, especially for behaviors like memory scraping,” he says
“It also matters to think about where browsers are used: shared machines, [virtual] environments, and privileged sessions carry higher risk and should be treated accordingly,” Luciani adds.
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
