Researcher Exposes Microsoft's Intentional Unencrypted Storage of Passwords in Edge Browser Memory

Users who store passwords in their web browser should exercise greater caution following a discovery by a Norwegian security expert. The investigation revealed a significant flaw in Microsoft Edge, where saved credentials remain visible in unencrypted form within the system's memory, as highlighted in a recent online post.

Individuals with physical access to the device could readily extract these credentials from memory, regardless of whether they've been accessed recently. This allows unauthorized parties to directly access and duplicate the information without encryption. In a demonstration video, Tom Jøran Sønstebyseter Rønning illustrates the issue: Microsoft Edge loads all saved passwords into memory without obfuscation, even during inactivity. [pic.twitter.com/ci0ZLEYFLB]

This problem impacts the built-in password management feature of Microsoft Edge. Standard password tools employ full encryption and cloud-based storage for cross-device availability. They typically unlock the data only when required and clear it from memory promptly afterward.

Retaining all credentials in an unencrypted state in memory sets Edge apart as an atypical and risky approach. According to Rønning, no other browser based on the Chromium engine exhibits this trait among those he examined.

Although Edge demands verification to display passwords through its manager, this safeguard proves ineffective against threats that scan the memory directly, enabling such retrieval.

After reporting the issue to Microsoft, Rønning received a surprising reply. As noted by ITavisen in a translated account, the unencrypted handling in Edge's password system represents an intentional choice rather than an error. The rationale behind this approach remains unexplained.

Undeterred, Rønning has chosen to alert the public to the mechanism and intends to release a detection tool on GitHub, allowing users to verify if their Edge-stored passwords appear in plain text.

For those relying on Edge for password storage, experts recommend switching to a more reliable third-party option and removing all entries from the browser. Those seeking recommendations can explore PCWorld's selections for top password management solutions.