Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design."

This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.

Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user).

He also said he reported the issue to Microsoft and was told the behavior was "by design" before he publicly disclosed it.

"Edge is the only Chromium‑based browser I've tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory," the researcher said.

While it initially refused to address the issue, telling BleepingComputer at the time that "this is an expected feature of the application," Microsoft announced on Wednesday that future versions of Edge will no longer load saved passwords into memory on startup, even though the reported scenario falls within the expected existing threat model (which excludes attacks where an adversary already has administrative control of a device).

"This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout," said Microsoft Edge Security Lead Gareth Evans.

"With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view. That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction."

The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer).

Last year, Microsoft also introduced a new Edge security feature to protect users against malicious extensions sideloaded into the web browser, and restricted access to Edge's Internet Explorer mode after hackers began leveraging zero-day exploits in the Chakra JavaScript engine to access target devices.