Microsoft Edge saves passwords in cleartext 'by design' and researchers argue 'this turns into a credential harvest' on shared PCs

A significant security flaw has been identified in how Microsoft Edge handles sensitive data, potentially turning shared computing environments into a "credential harvest" for attackers. Norwegian cybersecurity researcher Tom Jøran Sønstebyseter Rønning recently discovered that Microsoft Edge saves passwords in cleartext within the system's memory, leaving them vulnerable to anyone with sufficient access to the machine.

The Vulnerability: Cleartext Passwords in Memory

According to Rønbit, the browser decrypts every stored credential at startup, regardless of whether the user is actively visiting a site that requires those specific credentials. This means the decrypted data sits in the system's RAM, waiting to be intercepted.

While accessing this data isn't a trivial task for a casual user, it poses a massive risk in certain environments:

• Shared Administrative Access: An attacker with administrative rights on a terminal server can access the memory of all logged-on user processes.
• Credential Harvesting: In shared environments, an admin can use these cleartext passwords to compromise the accounts of every other logged-in user.
• Systemic Exposure: Because many standard PC users operate with administrative privileges by default, the barrier to entry for this exploit is lower than it appears.

Rønning has even demonstrated the severity of this issue by posting an Edge password dumper tool on GitHub, which simulates the process of extracting these stored credentials.

Microsoft's "By Design" Defense

When the issue was reported to Microsoft, the tech giant reportedly maintained that this behavior is "by design." This stance suggests that Microsoft does not view the presence of decrypted passwords in memory as a security vulnerability.

This approach stands in stark contrast to other browsers. For instance, Google Chrome only decrypts credentials when they are specifically required and binds the decryption process to an authenticated Chrome process. This prevents other processes on the machine from duplicating the encryption keys or accessing the plaintext data.

Microsoft’s official documentation regarding password manager security argues that even if an attacker gains admin rights or offline access, the system is designed to prevent them from retrieving plaintext passwords for users who are not currently logged in. However, Rønning's research suggests this protection fails when a user is active on a shared system.

As researchers continue to highlight how Microsoft Edge saves passwords in cleartext, the pressure mounts on Microsoft to reconsider their architectural decisions and protect users from large-scale credential theft.