A security researcher has uncovered a serious design flaw in Microsoft Edge: the browser decrypts every password stored in its password vault into process memory the moment it launches — and keeps them there as cleartext for the entire browser session, even if the user never visits any of those sites. The disclosure, made on April 29, 2026, has drawn significant attention from the security community for what it reveals about Edge’s approach to credential protection.
The Discovery
The finding was made by researcher @L1v1ng0ffTh3L4N at PaloAltoNtwks Norway, published on the BigBiteOfTech blog. The researcher conducted a systematic comparison of credential memory handling behavior across every major Chromium-based browser, and Edge stood alone in its approach: it loads the entire password vault into plaintext process memory at startup and retains it there for the duration of the session.
Every other Chromium-based browser tested, including Google Chrome, uses on-demand decryption — credentials are only decrypted at the precise moment they are needed, such as during autofill or when a user explicitly opens the password manager to view a stored credential. Chrome additionally enforces App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing any other process from reusing those keys to access credentials.
Edge offers none of these protections. From the moment the browser opens, every saved credential across every account in the user’s vault sits in plaintext in browser process memory — accessible to any process that can read it.
The Dangerous Contradiction in Edge’s UI
One of the most striking aspects of this finding is what the researcher describes as a “security theater” contradiction in Edge’s interface. When a user opens the Password Manager and tries to view a saved password, Edge prompts for re-authentication via Windows Hello or an account password before displaying the credential.
Yet that same credential is already sitting in plaintext in the browser’s process memory, completely accessible to any attacker who can query it. The re-authentication prompt offers only the illusion of access control. It prevents a casual user at an unlocked terminal from clicking “show password,” but provides absolutely no protection against an attacker performing memory-based credential extraction — which is precisely the threat that matters in real-world compromise scenarios.
High-Risk Environments: RDS and Terminal Servers
The severity of this design decision escalates dramatically in shared or multi-user environments such as Remote Desktop Services (RDS), Virtual Desktop Infrastructure (VDI), and terminal servers. In these environments, multiple users may be simultaneously logged in to the same host machine, each running their own Edge browser session.
An attacker who achieves administrative privileges on such a system can read the process memory of every logged-on user simultaneously. In a proof-of-concept video accompanying the disclosure, a compromised administrator account was used to extract stored credentials from two other logged-on users — including users with disconnected (but still active) sessions — simply by reading their Edge browser process memory.
This transforms a single admin-level compromise into a complete credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK technique T1555.003 — Credentials from Web Browsers.
Microsoft’s Official Response: “Working as Designed”
When the researcher responsibly disclosed the findings to Microsoft, the company’s official response was that the behavior is “by design.” Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, and the company categorizes such scenarios as outside Edge’s threat model.
This response has been met with significant criticism from security professionals. While it is technically accurate that local administrator access is often treated as a boundary in threat modeling, the argument fails to account for the practical reality of enterprise environments where:
- Administrative credentials are frequently compromised through phishing, pass-the-hash, and lateral movement
- Shared server environments place many users’ credentials within reach of a single compromised admin account
- Competing browsers like Chrome have demonstrably implemented stronger in-memory protections
What Security Teams Should Do
Until Microsoft changes this design decision, organizations using Microsoft Edge — particularly in shared-access environments — should take the following steps:
- Avoid Edge on RDS/VDI servers: Migrate to browsers that implement on-demand decryption and App-Bound Encryption, such as Google Chrome.
- Do not store sensitive credentials in Edge’s password manager on any shared or multi-user system.
- Use a dedicated password manager (such as 1Password, Bitwarden, or KeePass) that does not persist decrypted credentials in process memory for the full session.
- Monitor for T1555.003 activity in your SIEM or EDR telemetry — look for processes reading the memory of browser processes, particularly on terminal servers.
- Audit administrative access to systems where Edge is deployed, and apply the principle of least privilege aggressively.
Individual users concerned about this behavior can use the free verification tool released alongside the disclosure to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released specifically to raise awareness and encourage independent validation of the behavior.
A Wake-Up Call for Browser Security Assumptions
This discovery challenges a common assumption among users and IT administrators: that a browser’s password manager, protected by a re-authentication prompt, is genuinely secure. For Microsoft Edge, that assumption is wrong. The credential protection UI is cosmetic — the passwords are already in memory, and no authentication prompt protects them from a sufficiently privileged attacker on the same machine.
Enterprises that have standardized on Edge for their browser fleet, particularly those operating Windows-based RDS or VDI environments, should reassess their password management strategy and treat this finding as a high-priority configuration risk that demands immediate action.