Microsoft Defends Edge’s Plaintext Password Memory Storage as “By Design”

Microsoft has confirmed that the Microsoft Edge browser’s practice of loading an entire password vault into plaintext process memory at startup is an intentional design choice, rather than a security vulnerability. This behavior, which persists for the duration of a user's browser session, distinguishes Edge from other Chromium-based browsers like Google Chrome, which typically decrypt credentials only on an as-needed basis, such as during autofill or when a user explicitly requests to view a password Malwarebytes Labs.

The technical mechanism involves Edge keeping the decrypted password vault accessible within the browser's process memory. A security researcher demonstrated that this implementation allows for relatively straightforward credential harvesting. By utilizing a proof-of-concept (PoC), the researcher showed that an attacker with the ability to read process memory—a task that generally requires elevated privileges—can extract the entire vault without needing to exploit complex zero-day vulnerabilities Malwarebytes Labs.

While other Chromium-based browsers employ additional security layers, such as app-bound encryption for keys, Edge does not utilize these specific protections in this context. Microsoft’s official stance is that this behavior is "by design," likely intended to optimize the speed of sign-in and autofill features. The company maintains that because an attacker would already need a significant foothold, such as code execution and elevated privileges, to read the browser's memory, the risk falls outside the scope of their current design considerations Malwarebytes Labs.

The impact of this design is that it simplifies post-compromise credential harvesting for threat actors. Infostealers, which frequently possess the capability to read process memory once they have gained a foothold on a machine, can leverage this behavior to quickly exfiltrate sensitive data. This finding highlights a notable security disparity, as Edge appears to be the weakest among major browsers regarding the storage of credentials in memory Malwarebytes Labs.

Security experts continue to advise caution regarding the use of built-in browser password managers. While these tools offer convenience, they introduce inherent risks. Users are encouraged to consider disabling autofill to maintain greater control, and, most importantly, to implement multi-factor authentication (MFA) wherever possible to mitigate the impact of compromised credentials. Furthermore, users are advised against storing highly sensitive information, such as credit card details or medical records, within browser-based managers Malwarebytes Labs.

This disclosure underscores the ongoing tension between browser performance and security architecture. As infostealers evolve, the way browsers handle sensitive data in memory becomes an increasingly critical attack surface. This incident serves as a reminder that even "by design" features can significantly alter the threat landscape for end-users, necessitating a layered approach to digital security beyond relying solely on browser-native tools Malwarebytes Labs.