A major security concern has been raised about how passwords are handled in Microsoft Edge, after a Norwegian cybersecurity researcher found that the browser stores credentials in memory in clear text. The researcher, Tom Jøran Sønstebyseter Rønning, reported that passwords saved in Microsoft Edge remain unencrypted in system memory. This could expose sensitive login data to anyone who is able to access the computer through other means, including users with shared administrative privileges.

The researcher, Tom Jøran Sønstebyseter Rønning, reported that passwords saved in Microsoft Edge remain unencrypted in system memory. This could expose sensitive login data to anyone who is able to access the computer through other means, including users with shared administrative privileges.

Rønning noted that Edge behaves differently from other Chromium-based browsers he has tested. According to him, it is the only browser in that category that stores credentials in this manner.

After reporting the issue to Microsoft, Rønning said he was informed that the behavior is “by design.”

He further explained that Edge decrypts all stored credentials at startup, regardless of whether the user visits websites associated with those credentials during a session. However, accessing these passwords is not straightforward. An attacker would still need administrative access to a system, which already represents a serious security breach. With such access, they can view the memory of processes belonging to all logged-in users.

This also creates a scenario where someone with administrative rights on one account could potentially access stored credentials belonging to other users currently logged into the same system. To demonstrate this, Rønning published an Edge password dumping tool on GitHub that simulates how such an attack could be carried out.

While it is generally accepted that administrative access already allows significant control over a system, the situation raises additional concerns. Many users operate their PCs with administrative privileges by default. Even in such cases, password managers and services often require additional authentication steps, such as master passwords or two-factor authentication.

According to International Cyber Digest, storing passwords in cleartext in memory increases the risk in shared environments, effectively turning such systems into potential sources for credential harvesting.

Last year, a researcher known as LopezLucio666 raised the issue with Microsoft. In response, the company said that “after careful investigation, this case has been assessed as not a vulnerability and no security issue and does not meet Microsoft’s bar for immediate servicing.”

By comparison, Google Chrome handles credential decryption differently. Chrome only decrypts passwords when needed, rather than keeping them decrypted in memory at all times. It also ties the decryption process to an authenticated Chrome process, preventing other processes on the system from replicating access to its encryption keys.

Microsoft has addressed aspects of this topic on its password manager security FAQ page. The company states that even if an attacker has administrative rights or offline access to a system, its design is intended to prevent access to plaintext passwords for users who are not actively logged in.

However, findings from Tom Jøran Sønstebyseter Rønning and other researchers suggest the protections may not be fully effective in stopping attackers from accessing plaintext credentials under certain conditions. These concerns have led to calls for Microsoft to re-examine the behavior.

📢 For the latest Tech & Telecom news, videos and analysis join ProPakistani's WhatsApp Group now!

Follow ProPakistani on Google News & scroll through your favourite content faster!