Skip to content
Tech News
← Back to articles

Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk

2026-05-05 | original
read original get Password Manager for Edge → more articles
Why This Matters

The discovery that Microsoft Edge stores passwords in cleartext in process memory highlights a significant security vulnerability, especially in enterprise environments. This flaw can be exploited by attackers with administrative privileges to access sensitive user credentials, posing risks of data breaches and credential misuse. Addressing this issue is crucial for safeguarding user data and maintaining trust in browser security practices.

Key Takeaways

An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.

Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.

The basic issue is that Microsoft Edge decrypts and stores all passwords that have been saved in the browser in process memory, "even if the person never visits the site that uses those credentials," Rønning, offensive security/internal penetration tester and technical team lead of proactive security at Norway's Statnett SF, wrote on X in one of a series of posts detailing the issue. He conducted the research about the issue in his own time and not in his role at the company, he noted.

Related:Claude Mythos Fears Startle Japan's Financial Services Sector

This sets up an extremely risky scenario, especially for shared corporate environments, he said, because an attacker who gains admin access on a terminal service "can access the memory of all logged‑on user processes," Rønning wrote.

Microsoft did not immediately respond to a Dark Reading request for comment.

Exploiting a Microsoft Browser Weakness

Speaking to Dark Reading by phone, Rønning explained how an attacker with administrative access can exploit the issue in an organization running a Windows environment by accessing process memory via Citrix, virtual desktop infrastructure (VDI), or a Windows terminal server.

"Once you have that, you have access to all process memory. … If another user has stored their passwords in Edge, you can dump these credentials" and use them for myriad malicious activities, he tells Dark Reading.

"You can snowball into having more user credentials, and more and more permissions," Rønning says. An attacker can use these credentials stolen from the browser to move laterally, to impersonate other users, steal personal account data or even financial resources, and even conduct ransomware attacks, among other malicious activities, he explains.

... continue reading

Explore topics: microsoft edge process memory password storage palo alto networks statnett sf
Related:
Microsoft Edge stores all passwords in memory in clear text, even when unused
New Wall Street research touts our long-held view on AI and cybersecurity stocks
Windows 11's second-chance setup dialogs hurt IT, drain productivity
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
New BlackFile extortion group linked to surge of vishing attacks

© 2026 GoKawiil

About | Editorial Policy | Contact