Microsoft Edge users who entrust the browser with their saved passwords are facing a potential threat. A security researcher, identified by a handle, uncovered a startling flaw: Edge retains passwords as plain text within its unencrypted process memory. An attacker who gains system access can instantly view all your credentials for email, banking, and social media, according to reports from Cyber Security.
Microsoft has acknowledged the issue but characterized it as… “by design.” Company documentation states that data in the browser’s memory can indeed be accessed during a local attack scenario. In simpler terms, if malware or an intruder is already present within your system, your passwords are essentially exposed.
For contrast, Google Chrome employs on-demand decryption. This means accessing the password vault necessitates a specific system call. Edge, conversely, loads the entire repository in a clear format upon startup and keeps it accessible throughout the entire session.
Millions of corporate and private Windows users, who use Edge by default, are likely unaware that their “secure” browser possesses this vulnerability. Experts are recommending that users either cease using the integrated password manager in Edge or switch to an alternative browser altogether until Microsoft redesigns its architecture. Meanwhile, the company is classifying this vulnerability as a feature.
About the Author
