Microsoft is updating the Edge web browser to stop loading saved passwords into process memory in clear text during startup [1, 2, 3].
This change addresses a significant security gap that could allow malicious software to steal user credentials. When passwords exist in plaintext within the system's memory, they become vulnerable to extraction by any process with sufficient privileges to read that memory space.
The shift comes after a security researcher demonstrated that the previous behavior provided "a way for a malware infection to easily loot passwords from the browser," a spokesperson said [2]. The researcher's findings highlighted that the lack of encryption in memory created a direct path for credential theft.
Microsoft previously described the loading behavior as being "by design" [1]. Despite the upcoming change, the company has continued to deny that the previous implementation constituted a security risk [3].
Users will see the update rolled out globally to the Edge browser [1, 2]. A Microsoft spokesperson said, "Edge will no longer load passwords into memory on startup" [2].
The company's reversal follows a period of public backlash and technical scrutiny regarding how the browser handled sensitive data. While Microsoft maintained the feature was intentional, the risk of memory-scraping attacks led to the decision to modify the startup sequence.
“Edge will no longer load passwords into memory on startup.”
This update represents a shift toward 'security by default' in browser architecture. By ensuring credentials are not stored in plaintext in the system RAM, Microsoft reduces the attack surface for memory-dumping malware, which often targets browser processes to steal session cookies and passwords.
