Microsoft says it is changing how Edge handles saved passwords in memory following public criticism and the release of a proof-of-concept tool that demonstrated credentials could be extracted in cleartext from the browser’s process memory.
Microsoft confirmed that future versions of Edge will no longer preload saved passwords into memory during startup, a behavior security researcher Tom Jøran Sønstebyseter Rønning recently highlighted. The company said the change is already available in Edge Canary and will roll out to all supported Edge channels in build 148 and later.
The issue gained attention earlier this month after Rønning released a GitHub-hosted PoC tool called EdgeSavedPasswordsDumper, which showed that usernames and passwords stored through Microsoft Edge’s integrated password manager could be recovered directly from the browser’s parent process memory. According to the researcher, Edge version 147.0.3912.98 loaded all stored credentials into memory regardless of whether they were actively needed.
Rønning tested several Chromium-based browsers, including Google Chrome and Brave, and claimed he did not observe the same behavior in those products. His findings triggered debate within the security community because Microsoft had reportedly previously classified the behavior as “by design.”
Microsoft Edge is the company’s Chromium-based browser, widely used across Windows consumer and enterprise environments. The browser includes Microsoft Password Manager integration, allowing users to synchronize credentials across devices and Microsoft accounts for autofill and sign-in functionality.
In its new statement, Microsoft defended its earlier assessment that the issue did not constitute a traditional security vulnerability because exploiting it would require an attacker to already have local access to a compromised device.
“This is because the reported scenario requires an attacker who already has control of the user’s device,” Microsoft explained. “Once the attacker can run unsafe software locally, the situation is beyond the defenses of the browser.”
The company noted that local attacks and malware running with elevated privileges are considered outside the threat model for modern browser password managers, adding that the report did not introduce a new attack vector capable of bypassing browser protections remotely.
However, Microsoft acknowledged that the behavior still represented unnecessary exposure and said the company is taking a broader “defense-in-depth” approach under its Secure Future Initiative (SFI). As part of that effort, Edge will stop automatically loading stored passwords into process memory at launch.
The update applies across all supported Edge release channels, including Stable, Beta, Dev, Canary, and Extended Stable editions used by enterprise customers. Microsoft said users do not need to take any action beyond installing routine browser updates.
The company also said it is reevaluating how it handles future researcher submissions after criticism surrounding its initial response to the report.
“Our initial response was based on the shared security criteria for the Chromium project,” Microsoft stated. “That’s a baseline, and we hold ourselves to a higher bar.”
Leave a Reply