Microsoft backtracks on Edge storing your passwords in plaintext RAM
Abstract created by Good Solutions AI
In abstract:
- Microsoft Edge beforehand saved person passwords in unencrypted plaintext in laptop reminiscence, creating a major safety vulnerability that allowed native attackers to simply entry saved credentials.
- Safety researcher Tom Jøran Sønstebyseter Rønning uncovered this flaw, which Microsoft initially defended as a deliberate design determination earlier than reversing course.
- PCWorld studies that Microsoft has fastened this situation in Edge model 148 and recommends customers migrate to devoted password managers for higher safety.
Up to date on Could 18th, 2026: Whereas Microsoft initially stated the plaintext password conduct was “a deliberate design determination,” the corporate has now modified its tune. Beginning with Edge model 148, the browser will now not hold all passwords loaded in unencrypted type.
Authentic story from Could fifth, 2026: In the event you have a tendency to save lots of your passwords in your browser, it’s essential to be extra cautious. A safety researcher from Norway has uncovered a severe vulnerability in Microsoft Edge that reveals passwords are saved in reminiscence as plaintext, as proven on this social media publish.
Any malicious person with native entry might simply intercept all of your saved passwords, even when they haven’t been used in any respect throughout a given session. Attackers might merely retrieve and duplicate them in plaintext. In a video, Tom Jøran Sønstebyseter Rønning demonstrates it in motion:
Severe flaw in Edge’s password supervisor
The vulnerability impacts Microsoft Edge’s password supervisor. Password managers usually use end-to-end encryption and retailer passwords in cloud storage in order that customers can entry them from anyplace. When passwords are wanted, password managers usually decrypt the them to be used after which delete them afterwards.
The truth that Edge retains all passwords loaded with none encryption is each uncommon and harmful. Different password managers, together with these which might be constructed into browsers, don’t function on this means—Rønning says Edge is the one Chromium-based browser he’s examined with this conduct.
Edge does require authentication to view passwords within the password supervisor, however that is of little protecting worth if attackers can merely achieve entry by studying the RAM, which is what occurs right here.
Is that this intentional or a bug?
Rønning apparently shared his findings with Microsoft and acquired an sudden response. In accordance with ITavisen (machine translated), Edge’s password administration conduct is “a deliberate design determination, “not a bug.” It’s unclear what profit this design provides for customers.
Rønning determined to warn customers about the way it works anyway, and likewise plans to publish his personal device on GitHub, which any person can use to test whether or not their Edge passwords are saved in plaintext.
In the event you use Edge and have passwords saved within the browser, you need to migrate to a different password supervisor that’s really safe, then delete all of your passwords from Edge. In the event you don’t know the place to start out, take a look at PCWorld’s picks for the perfect password managers.
This text initially appeared on our sister publication PC-WELT and was translated and localized from German.
