VYPR
researchPublished May 5, 2026· Updated May 17, 2026· 1 source

Microsoft Edge Cleartext Password Storage Poses Enterprise Security Risk

A security researcher has discovered that Microsoft Edge stores saved passwords in cleartext within process memory, allowing attackers with administrative access to extract credentials from shared enterprise systems.

Security researcher Tom Jøran Sønstebyseter Rønning has disclosed a significant security vulnerability in Microsoft Edge, revealing that the browser stores saved user passwords in cleartext within its process memory. This design choice allows an attacker with administrative privileges on a Windows system to extract these credentials, even if the user is not actively browsing or using the Edge application Dark Reading.

The technical mechanism involves the browser decrypting and caching all saved passwords in memory upon initialization. Rønning demonstrated that because these credentials reside in the process memory, an attacker who gains administrative access to a terminal server, virtual desktop infrastructure (VDI), or Citrix environment can perform a memory dump to harvest the cleartext passwords of all logged-on users Dark Reading.

The impact of this vulnerability is particularly severe in shared enterprise environments. By exploiting this memory-resident data, an attacker can move laterally across a network, impersonate users, access sensitive financial or personal data, and potentially facilitate ransomware attacks. Rønning noted that even if a user has configured Edge to require a secondary password for accessing saved credentials, the cleartext storage in memory effectively bypasses this protection, as an administrator can force the browser to start or access the memory of existing processes to retrieve the data Dark Reading.

Rønning, who serves as a technical team lead at Statnett SF, conducted this research independently and has released a proof-of-concept (PoC) tool on GitHub to illustrate the risk. He reported the findings to Microsoft, but the company officially classified the behavior as "by design" Dark Reading.

Industry experts have criticized this approach, noting that it creates a dangerous discrepancy between the security features users expect and the actual protection provided. Danwei Tran Luciani of Detectify highlighted that this mismatch significantly widens the "blast radius" of a local breach, as a single compromised endpoint can lead to widespread credential exposure across an entire organization Dark Reading.

This disclosure underscores the ongoing challenges of managing browser-based credential storage in multi-user environments. While Edge is built on the Chromium framework—which is also utilized by browsers like Chrome, Brave, and Opera—Rønning’s research suggests that the specific implementation in Edge presents a unique risk profile for enterprise deployments. Organizations relying on shared workstations or remote desktop services may need to reevaluate their reliance on built-in browser password managers in light of these findings Dark Reading.

Synthesized by Vypr AI