Security researcher Tom Jøran Sønstebyseter Rønning discovered that Microsoft Edge loads all saved user passwords into RAM in cleartext during browsing sessions [1, 2].
This discovery highlights a potential vulnerability in how the browser handles sensitive credentials. If a malicious actor gains access to a computer's process memory, they could potentially harvest every password the user has saved in the browser without needing to crack encryption keys.
Rønning demonstrated the issue by dumping the memory of the browser on Windows computers [2, 3]. He said that Edge loads all saved passwords into RAM in cleartext, which makes credential harvesting easier for attackers [2]. He said that Edge is the only Chromium-based browser he has tested that behaves this way [4].
Microsoft responded to the findings by stating the behavior is intentional. The company decrypts saved passwords and loads them into memory to enable quick autofill functionality [3, 5]. A Microsoft spokesperson said that Edge loads all passwords into memory in plaintext, but the company does not consider it a security concern [3].
The company's position is that for an attacker to exploit this, they would already need the ability to read the process memory of the system [3, 5]. However, Rønning and other security analysts suggest that storing these credentials in an unencrypted state in memory creates an unnecessary risk [2, 4, 5].
“"Edge loads all saved passwords into RAM in cleartext, which makes credential harvesting easier for attackers."”
The dispute centers on the 'threat model' of the browser. Microsoft assumes that any attacker capable of reading system RAM already has high-level administrative access, rendering the plaintext passwords a secondary issue. Conversely, security researchers argue that minimizing the 'attack surface' is critical; by keeping passwords encrypted in memory until the exact moment of use, the browser could prevent a memory-scraping tool from compromising a user's entire digital identity in one move.
