Microsoft Edge Password Manager Flaw Exposes Credentials in Plain Text
A Norwegian security researcher, Tom Jøran Sønstebyseter Rønning, has uncovered a critical vulnerability in Microsoft Edge’s built-in Password Manager, where saved credentials remain exposed in plain text within the browser’s process memory even after the browser is closed and reopened. The issue affects all devices running Edge, particularly shared or enterprise machines, where unauthorized access could lead to credential theft.
Rønning demonstrated that Edge decrypts all stored passwords at startup, keeping them in memory regardless of whether the user visits the associated sites. Unlike Google Chrome, which employs App Bound Encryption to secure browser data, Microsoft’s approach leaves passwords vulnerable to extraction with minimal technical effort. The researcher plans to release a tool on GitHub to verify the flaw, reinforcing concerns about its accessibility to attackers.
Microsoft has dismissed the issue as "by design," a stance criticized by cybersecurity experts, including Beauceron Security CEO David Shipley. Shipley argued that Microsoft’s response reflects a lack of motivation to prioritize security in its free browser, contrasting it with competitors like Google, which have implemented stronger protections. The flaw effectively lowers the barrier for cybercriminals, particularly info-stealers, to exploit compromised systems.
The discovery follows a pattern of Microsoft downplaying security concerns, with similar incidents where vulnerabilities were labeled as "working as intended." While Microsoft has not commented further, the issue underscores broader risks in browser-based password management, especially for organizations relying on Edge in enterprise environments. Other browsers, such as Chrome, do not exhibit the same vulnerability.
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1778012656",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All Microsoft Edge users, '
'particularly enterprise '
'environments',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Browser Process Memory',
'customer_advisories': 'Users are advised to avoid storing sensitive '
'credentials in Microsoft Edge’s Password Manager '
'until the vulnerability is addressed.',
'data_breach': {'data_encryption': 'No (plain text in memory)',
'personally_identifiable_information': 'Yes (stored '
'credentials)',
'sensitivity_of_data': 'High (plain text credentials)',
'type_of_data_compromised': 'Credentials'},
'description': 'A critical vulnerability in Microsoft Edge’s built-in '
'Password Manager was discovered, where saved credentials '
'remain exposed in plain text within the browser’s process '
'memory even after the browser is closed and reopened. The '
'issue affects all devices running Edge, particularly shared '
'or enterprise machines, where unauthorized access could lead '
'to credential theft.',
'impact': {'brand_reputation_impact': 'Negative impact due to perceived '
'security negligence',
'data_compromised': 'User credentials',
'identity_theft_risk': 'High',
'operational_impact': 'Increased risk of credential theft on '
'shared or enterprise machines',
'systems_affected': 'Microsoft Edge browser on all devices'},
'investigation_status': 'Publicly disclosed, no resolution from Microsoft',
'lessons_learned': 'Browser-based password managers require stronger security '
'measures, such as App Bound Encryption, to prevent plain '
'text credential exposure. Enterprise environments are '
'particularly vulnerable to such flaws.',
'post_incident_analysis': {'corrective_actions': 'Implement App Bound '
'Encryption or similar '
'protections; avoid plain '
'text credential storage in '
'memory',
'root_causes': 'Lack of encryption for credentials '
'in browser process memory, design '
'choice by Microsoft'},
'recommendations': ['Microsoft should implement App Bound Encryption or '
'similar protections for Edge’s Password Manager.',
'Users should avoid storing sensitive credentials in '
'browser-based password managers until the issue is '
'resolved.',
'Organizations should assess the risks of using Edge in '
'enterprise environments and consider alternative '
'browsers with stronger security controls.'],
'references': [{'source': 'Norwegian security researcher (Tom Jøran '
'Sønstebyseter Rønning)',
'url': 'https://github.com/[tool-to-be-released]'},
{'source': 'Beauceron Security (David Shipley)'}],
'response': {'communication_strategy': "Dismissed as 'by design'"},
'stakeholder_advisories': "Microsoft has dismissed the issue as 'by design.' "
'Cybersecurity experts advise caution in using '
'Edge’s Password Manager.',
'title': 'Microsoft Edge Password Manager Flaw Exposes Credentials in Plain '
'Text',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Plain text credential storage in memory'}