A security researcher has raised concerns about how Microsoft Edge handles saved passwords, revealing behavior that could increase the risk of credential exposure under certain conditions.
According to findings shared by @L1v1ng0ffTh3L4N , Edge decrypts all stored passwords at startup and keeps them in the browser’s memory — even if those credentials are not actively being used.
This means sensitive login data may remain accessible in plaintext within system memory for the duration of the browser session.
What Was Discovered
The researcher demonstrated that when Edge launches, it loads saved credentials into memory in a decrypted form.
This occurs regardless of whether the user visits a site associated with those credentials.
At the same time, Edge still requires user authentication when accessing passwords through its password manager interface, creating a contrast between user-facing security and internal behavior.
How Chrome Handles It Differently
In comparison, Google Chrome uses a more restrictive model.
Chrome decrypts passwords only when needed, such as during autofill or when the user explicitly views stored credentials.
It also uses additional protections like App-Bound Encryption (ABE), which ties decryption capabilities to the authenticated browser process.
This approach limits the window in which passwords appear in memory, reducing the effectiveness of memory-based extraction techniques.
Why This Matters
The primary risk scenario involves systems where an attacker gains administrative or high-level access.
In such cases, it may be possible to read process memory and extract sensitive data.
- Shared computers or enterprise environments
- Terminal servers with multiple users
- Compromised systems with elevated privileges
The researcher demonstrated that credentials from multiple logged-in users could potentially be accessed if Edge is running in those sessions.
Microsoft’s Response
The issue was reported to Microsoft, and the company responded that this behavior is “by design.”
This suggests the current implementation is intentional, rather than a bug or unintended flaw.
However, the disclosure has sparked discussion around whether this design choice introduces unnecessary risk compared to alternative approaches.
Proof of Concept and Disclosure
The researcher has published a proof-of-concept tool demonstrating how passwords can be extracted from memory.
The tool is intended for educational and security awareness purposes, helping users understand how credentials may be handled internally.
More details and updates were shared publicly through the researcher’s account:
Important Context
This issue does not represent a remote exploit or immediate threat to most users.
Access to system memory typically requires elevated privileges or prior system compromise.
However, the findings highlight differences in how browsers manage sensitive data internally and may influence security decisions in enterprise or shared environments.
The Bigger Picture
As browsers continue to store more sensitive data — from passwords to authentication tokens — internal security design becomes increasingly important.
Even small architectural differences can have significant implications in high-risk scenarios.
This case highlights an ongoing trade-off between performance, usability, and strict security isolation in modern browsers.
Sources
- Research and posts by @L1v1ng0ffTh3L4N
- XCancel profile
- GitHub Proof of Concept
This article was written by DigitalEscapeTools based on publicly shared research and security analysis.
