VYPR
researchPublished May 5, 2026· Updated May 17, 2026· 1 source

Microsoft Edge Found Storing Passwords in Cleartext in Memory

Security researchers have discovered that Microsoft Edge stores user passwords in cleartext within its process memory, allowing local users or malware to extract credentials without elevated privileges.

Security researchers have identified a significant vulnerability in Microsoft Edge that allows for the extraction of stored user passwords in cleartext directly from the browser's memory. The issue, first highlighted by researcher @L1v1ng0ffTh3L4N, demonstrates that credentials saved within the browser are not adequately protected while the application is running SANS Internet Storm Center.

The technical mechanism behind this exposure is straightforward, requiring no elevated privileges beyond those of the currently logged-in Windows user. An attacker—or malicious software running under the user's context—can simply open the Windows Task Manager, locate the "browser" sub-task for Microsoft Edge, and create a memory dump of the process. Once the dump file is generated, standard utilities like the Microsoft Sysinternals Strings tool can be used to parse the memory contents SANS Internet Storm Center.

Because Edge stores credentials in a predictable format—typically following a pattern of <url><protocol><userid><password>—an attacker can easily filter the memory dump to extract sensitive data. By searching for specific strings such as "comhttps," researchers found they could retrieve a neatly organized list of stored credentials. This process bypasses the browser's internal security controls, which typically require biometric authentication or Windows Hello verification before displaying saved passwords within the application interface SANS Internet Storm Center.

The impact of this vulnerability is substantial, as it effectively renders the browser's built-in password protection features moot. While Microsoft requires authentication to view passwords through the Edge settings menu, the underlying data remains exposed in the process memory, accessible to any process or actor with local user access. This creates a "strong front door, open window" scenario where the browser's security theater is undermined by the lack of memory-level encryption for sensitive data SANS Internet Storm Center.

Microsoft has reportedly classified this behavior as "intended," according to reports from researchers SANS Internet Storm Center. As of now, there is no indication of a patch or a change in how Edge handles credential storage in memory. Users concerned about this exposure are advised to consider alternative browsers or to be aware that any malware executing with their user permissions can access their stored credentials with minimal effort SANS Internet Storm Center.

This discovery highlights a broader, ongoing challenge in endpoint security: the difficulty of protecting sensitive data in memory from local processes. As security researchers continue to scrutinize browser architectures, this case serves as a reminder that even applications with robust user-facing security features may harbor significant, easily exploitable flaws in their underlying implementation. Security professionals and users alike should monitor for further updates or guidance from Microsoft regarding this design choice.

Synthesized by Vypr AI